[lxc-devel] [lxc/master] network: fix LXC_NET_NONE cleanup

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3589

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).

The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:

lxc foo 20201201232059.271 TRACEnetwork - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo 20201201232059.271 ERRORnetwork - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo 20201201232059.271 ERRORstart - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace

Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.

I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.

Signed-off-by: Tycho Andersen 
From 04213960f7b7041f2d6b8d2868e4b7fa18eec59b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 2 Dec 2020 06:26:18 -0800
Subject: [PATCH] network: fix LXC_NET_NONE cleanup

We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).

The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:

lxc foo 20201201232059.271 TRACEnetwork - 
network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices 
back to parent network namespace
lxc foo 20201201232059.271 ERRORnetwork - 
network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - 
Failed to enter network namespace
lxc foo 20201201232059.271 ERRORstart - start.c:__lxc_start:2045 - Failed 
to move physical network devices back to parent network namespace

Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.

I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.

Signed-off-by: Tycho Andersen 
---
 src/lxc/network.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/src/lxc/network.c b/src/lxc/network.c
index bfffb2256b..fdb9aa09cc 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -3605,6 +3605,13 @@ int lxc_restore_phys_nics_to_netns(struct lxc_handler 
*handler)
char ifname[IFNAMSIZ];
struct lxc_list *iterator;
 
+   /*
+* If we weren't asked to clone a new network namespace, there's
+* nothing to restore.
+*/
+   if (!(handler->ns_clone_flags & CLONE_NEWNET))
+   return 0;
+
/* We need CAP_NET_ADMIN in the parent namespace in order to setns() to
 * the parent network namespace. We won't have this capability if we are
 * unprivileged.
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] conf: fix read-only bind mounts

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3323

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Here we would always set MS_RDONLY in required_flags if it was set in
mountflags, so the expression:

!(required_flags & ~mountflags)

would always be true, and we would always skip the remount.

Instead, let's treat readonly as special: always do the remount if
MS_RDONLY is present. Unfortunately it doesn't seem to show up in
sb.f_flag, so we can't use the same path as everything else.

This only inadvertently worked before because of a bug fixed in
f75917858023 ("conf: don't accidently double-mount").

Signed-off-by: Tycho Andersen 
From 94bef7e4b4ee4b8b05bc4ba52b536fdc8d099c2c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 24 Mar 2020 10:16:50 -0600
Subject: [PATCH] conf: fix read-only bind mounts

Here we would always set MS_RDONLY in required_flags if it was set in
mountflags, so the expression:

!(required_flags & ~mountflags)

would always be true, and we would always skip the remount.

Instead, let's treat readonly as special: always do the remount if
MS_RDONLY is present. Unfortunately it doesn't seem to show up in
sb.f_flag, so we can't use the same path as everything else.

This only inadvertently worked before because of a bug fixed in
f75917858023 ("conf: don't accidently double-mount").

Signed-off-by: Tycho Andersen 
---
 src/lxc/conf.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2de772511e..0c36737c61 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1847,15 +1847,14 @@ static int mount_entry(const char *fsname, const char 
*target,
}
 
if ((mountflags & MS_REMOUNT) || (mountflags & MS_BIND)) {
-   unsigned long required_flags = 0;
 
DEBUG("Remounting \"%s\" on \"%s\" to respect bind or remount 
options",
  srcpath ? srcpath : "(none)", target ? target : "(none)");
 
-   if (mountflags & MS_RDONLY)
-   required_flags |= MS_RDONLY;
 #ifdef HAVE_STATVFS
if (srcpath && statvfs(srcpath, ) == 0) {
+   unsigned long required_flags = 0;
+
if (sb.f_flag & MS_NOSUID)
required_flags |= MS_NOSUID;
 
@@ -1875,7 +1874,8 @@ static int mount_entry(const char *fsname, const char 
*target,
 * does not have any flags which are not already in
 * mountflags, then skip the remount.
 */
-   if (!(mountflags & MS_REMOUNT) && !(required_flags & 
~mountflags)) {
+   if (!(mountflags & MS_REMOUNT) &&
+   (!(required_flags & ~mountflags) && !(mountflags & 
MS_RDONLY))) {
DEBUG("Mountflags already were %lu, skipping 
remount", mountflags);
goto skipremount;
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] lxclock: fix a small memory leak

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3264

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
if (!name), we allocate an unnamed semaphore, but if we then fail to
allocate/create the lock, we don't free this semaphore, and we just leak
it.

Signed-off-by: Tycho Andersen 
From b8a6a00cc385fc0c6f36c6497f03a3fd40059706 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 10 Feb 2020 08:14:33 -0700
Subject: [PATCH] lxclock: fix a small memory leak

if (!name), we allocate an unnamed semaphore, but if we then fail to
allocate/create the lock, we don't free this semaphore, and we just leak
it.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxclock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index a77951a5b4..318e5bf5a3 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -169,6 +169,8 @@ struct lxc_lock *lxc_newlock(const char *lxcpath, const 
char *name)
l->type = LXC_LOCK_FLOCK;
l->u.f.fname = lxclock_name(lxcpath, name);
if (!l->u.f.fname) {
+   if (!name)
+   free(l->u.sem);
free(l);
l = NULL;
goto on_error;
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [crio-lxc/master] Some fixups

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/crio-lxc/pull/18

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From dfe43bfd11d76bce4ae95369234b8d909e9eb4e6 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 21 Jan 2020 19:12:24 -0700
Subject: [PATCH 1/5] tests: s/plugin_dir/plugin_dirs

edb959068e324a8dcde6b8b47ce1582b8434ac3d changes the type of plugin_dir to
a string, and adds plugin_dirs. Although it claims to maintain backwards
compatibility, we get this error with our old config:

unable to decode configuration 
/home/tycho/packages/crio-lxc/crio-lxc-test.8zl3anTi/crio.conf: toml: cannot 
load TOML value of type string into a Go slice

Signed-off-by: Tycho Andersen 
---
 test/crio.conf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/crio.conf.in b/test/crio.conf.in
index 26c6963..69fd1a8 100644
--- a/test/crio.conf.in
+++ b/test/crio.conf.in
@@ -267,6 +267,6 @@ registries = [
 network_dir = "CRIOLXC_TEST_DIR/cni/net.d"
 
 # Paths to directories where CNI plugin binaries are located.
-plugin_dir = [
+plugin_dirs = [
"CRIOLXC_TEST_DIR/cni-plugins/bin",
 ]

From 7468640d553020e5138ab455c86e8c36dad00468 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 21 Jan 2020 19:15:05 -0700
Subject: [PATCH 2/5] go.mod: add a go 1.13 directive

This is stupid, but go 1.13 adds it automatically if it's not present, so
let's do this to avoid everyone's tree being dirty when they do a build.

Signed-off-by: Tycho Andersen 
---
 go.mod | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/go.mod b/go.mod
index d1bda7c..7f80ccc 100644
--- a/go.mod
+++ b/go.mod
@@ -21,3 +21,5 @@ require (
 replace github.com/vbatts/go-mtree v0.4.4 => github.com/vbatts/go-mtree 
v0.4.5-0.20190122034725-8b6de6073c1a
 
 replace github.com/openSUSE/umoci v0.4.4 => github.com/tych0/umoci 
v0.1.1-0.20190402232331-556620754fb1
+
+go 1.13

From efd21abec0b566030156b4bfe8c0be4d621d1178 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 21 Jan 2020 19:17:33 -0700
Subject: [PATCH 3/5] readme: make it clear you can put crictl somewhere else

At least make the copy pastable example /usr/local

Signed-off-by: Tycho Andersen 
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5d01c66..fbce9fd 100644
--- a/README.md
+++ b/README.md
@@ -38,12 +38,12 @@ cd cni-plugins
 ```
 
 You'll also need crictl.  Download the tarball, extract it, and
-copy crictl to /usr/bin:
+copy crictl to somewhere in your path:
 
 ```
 wget 
https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.14.0/crictl-v1.14.0-linux-amd64.tar.gz
 tar zxf crictl-v1.14.0-linux-amd64.tar.gz
-sudo cp crictl /usr/bin
+sudo cp crictl /usr/local/bin # or ~/.local/bin, etc.
 ```
 
 You'll also need conntrack installed:

From a7ac544981e5c16bc8460de536d881c582b6570e Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 21 Jan 2020 19:25:58 -0700
Subject: [PATCH 4/5] test: switch CRIO_REPO to PACKAGES_DIR

conmon is now shipped in a separate package, so we need to build that too.

Signed-off-by: Tycho Andersen 
---
 Makefile  | 4 ++--
 test/crio.conf.in | 2 +-
 test/helpers.bash | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 86a92d7..e92cbd1 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ GO_SRC=$(shell find . -name \*.go)
 COMMIT_HASH=$(shell git rev-parse HEAD)
 COMMIT=$(if $(shell git status --porcelain 
--untracked-files=no),$(COMMIT_HASH)-dirty,$(COMMIT_HASH))
 TEST?=$(patsubst test/%.bats,%,$(wildcard test/*.bats))
-CRIO_REPO?=~/packages/cri-o
+PACKAGES_DIR?=~/packages
 
 crio-lxc: $(GO_SRC)
go build -ldflags "-X main.version=$(COMMIT)" -o crio-lxc ./cmd
@@ -12,7 +12,7 @@ crio-lxc: $(GO_SRC)
 check: crio-lxc
go fmt ./... && ([ -z $(TRAVIS) ] || git diff --quiet)
go test ./...
-   CRIO_REPO=$(CRIO_REPO) sudo -E "PATH=$$PATH" bats -t $(patsubst 
%,test/%.bats,$(TEST))
+   PACKAGES_DIR=$(PACKAGES_DIR) sudo -E "PATH=$$PATH" bats -t $(patsubst 
%,test/%.bats,$(TEST))
 
 .PHONY: vendorup
 vendorup:
diff --git a/test/crio.conf.in b/test/crio.conf.in
index 69fd1a8..e57e7e7 100644
--- a/test/crio.conf.in
+++ b/test/crio.conf.in
@@ -87,7 +87,7 @@ default_runtime = "runc"
 no_pivot = false
 
 # Path to the conmon binary, used for monitoring the OCI runtime.
-conmon = "CRIO_REPO/bin/conmon"
+conmon = "PACKAGES_DIR/conmon/bin/conmon"
 
 # Environment variable list for the conmon process, used for passing necessary
 # environment variables to conmon or the runtime.
diff --git a/test/helpers.bash b/test/helpers.bash
index 1741ea1..a6e2cf7 100644
--- a/test/helpers.bash
+++ b/test/helpers.bash
@@ -12,7 +12,7 @@ function setup_crio {
 sed \
 -e "s,CRIOLXC_TEST_DIR,$TEMP_DIR,g" \

[lxc-devel] [lxc/master] pidfds: don't print a scary warning on ENOSYS

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3103

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Most kernels don't have this functionality yet, and so the warning is
printed a lot. Our people are scared of warnings, so let's make it INFO
instead in this case.

Signed-off-by: Tycho Andersen 
From 9c579205669cce54944e2c4f115e69ef18475bbe Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 23 Jul 2019 09:40:14 -0600
Subject: [PATCH] pidfds: don't print a scary warning on ENOSYS

Most kernels don't have this functionality yet, and so the warning is
printed a lot. Our people are scared of warnings, so let's make it INFO
instead in this case.

Signed-off-by: Tycho Andersen 
---
 src/lxc/start.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index e3f32f4cb8..e6544ea19c 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1641,7 +1641,10 @@ static int proc_pidfd_open(pid_t pid)
 
/* Test whether we can send signals. */
if (lxc_raw_pidfd_send_signal(proc_pidfd, 0, NULL, 0)) {
-   SYSERROR("Failed to send signal through pidfd");
+   if (errno != ENOSYS)
+   SYSERROR("Failed to send signal through pidfd");
+   else
+   INFO("Sending signals through pidfds not supported on 
this kernel");
return -1;
}
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] lxc_clone: add a comment about stack size

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3018

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From edb808d1301c81d6b0a2747dffa6a7019ff20de8 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 29 May 2019 09:36:51 -0600
Subject: [PATCH] lxc_clone: add a comment about stack size

Signed-off-by: Tycho Andersen 
---
 src/lxc/namespace.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
index 4ede96f2fa..be47b229ec 100644
--- a/src/lxc/namespace.c
+++ b/src/lxc/namespace.c
@@ -42,6 +42,10 @@
 
 lxc_log_define(namespace, lxc);
 
+/*
+ * Let's use the "standard stack limit" (i.e. glibc thread size default) for
+ * stack sizes: 8MB.
+ */
 #define __LXC_STACK_SIZE (8 * 1024 * 1024)
 pid_t lxc_clone(int (*fn)(void *), void *arg, int flags, int *pidfd)
 {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] Pass zero to clone

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2987

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Here's some things I was thinking about on a plane while working on something else :)
From ae15df583f47177215b03005d62c85e7732ac9bd Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 9 May 2019 13:52:30 -0400
Subject: [PATCH 1/3] lxc_clone: pass 0 as stack and have the kernel allocate
 it

The kernel allows us to pass a NULL stack and have it allocate one, so
let's just do that instead of doing it manually, since there are two
problems with this code:

1. The math is wrong. We allocate a char *foo[__LXC_STACK_SIZE]; which
   means it's really sizeof(char *) * __LXC_STACK_SIZE, instead of just
   __LXC_STACK SIZE.

2. We can't actually allocate it on our stack. When we use CLONE_VM (which
   we do in the shared ns case) that means that the new thread is just
   running one page lower on the stack, but anything that allocates a page
   on the stack may clobber data. This is a pretty short race window since
   we just do the shared ns stuff and then do a clone without CLONE_VM.

However, it does point out an interesting possible privilege escalation if
things aren't configured correctly: do_share_ns() sets up namespaces while
it shares the address space of the task that spawned it; once it enters the
pid ns of the thing it's sharing with, the thing it's sharing with can
ptrace it and write stuff into the host's address space. Since the function
that does the clone() is lxc_spawn(), it has a struct cgroup_ops* on the
stack, which itself has function pointers called later in the function, so
it's possible to allocate shellcode in the address space of the host and
run it fairly easily.

ASLR doesn't mitigate this since we know exactly the stack offsets; however
this patch has the kernel allocate a new stack, which will help. Of course,
the attacker could just check /proc/pid/maps to find the location of the
stack, but they'd still have to guess where to write stuff in.

The thing that does prevent this is the default configuration of apparmor.
Since the apparmor profile is set in the second clone, and apparmor
prevents ptracing things under a different profile, attackers confined by
apparmor can't do this. However, if users are using a custom configuration
with shared namespaces, care must be taken to avoid this race.

Shared namespaces aren't widely used now, so perhaps this isn't a problem,
but with the advent of crio-lxc for k8s, this functionality will be used
more.

Signed-off-by: Tycho Andersen 
---
 src/lxc/namespace.c | 8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
index e22d9a4bf0..04b7dd3d2d 100644
--- a/src/lxc/namespace.c
+++ b/src/lxc/namespace.c
@@ -53,22 +53,18 @@ static int do_clone(void *arg)
return clone_arg->fn(clone_arg->arg);
 }
 
-#define __LXC_STACK_SIZE 4096
 pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
 {
-   size_t stack_size;
pid_t ret;
struct clone_arg clone_arg = {
.fn = fn,
.arg = arg,
};
-   char *stack[__LXC_STACK_SIZE] = {0};
-   stack_size = __LXC_STACK_SIZE;
 
 #ifdef __ia64__
-   ret = __clone2(do_clone, stack, stack_size, flags | SIGCHLD, 
_arg);
+   ret = __clone2(do_clone, NULL, 0, flags | SIGCHLD, _arg);
 #else
-   ret = clone(do_clone, stack + stack_size, flags | SIGCHLD, _arg);
+   ret = clone(do_clone, 0, flags | SIGCHLD, _arg);
 #endif
if (ret < 0)
SYSERROR("Failed to clone (%#x)", flags);

From b827d5ed02ce861f52f5703cadc6fbf50129f041 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 9 May 2019 14:13:40 -0400
Subject: [PATCH 2/3] doc: add a little note about shared ns + LSMs

We should add a little not about the race in the previous patch.

Signed-off-by: Tycho Andersen 
---
 doc/lxc.container.conf.sgml.in | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ee78e49a3d..8247e03487 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1657,6 +1657,12 @@ dev/null proc/kcore none bind,relative 0 0
 process wants to inherit the other's network namespace it usually
 needs to inherit the user namespace as well.
 
+
+
+Note that without careful additional configuration of an LSM,
+sharing user+pid namespaces with a task may allow that task to
+escalate privileges to that of the task calling liblxc.
+
   
 
   

From 0f407cd4367e220bf89c41c18c6995fe13ed50bf Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 9 May 2019 14:18:10 -0400
Subject: [PATCH 3/3] 

[lxc-devel] [lxc/master] lxc-start: remove bad doc

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2946

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We don't in fact exit(1) if this is not specified, and it wouldn't make
sense to, since most people probably don't specify this.

Signed-off-by: Tycho Andersen 
From bd65f5ce50d40f3cfece6ed3eaf2c471448281ae Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 23 Apr 2019 08:48:29 -0600
Subject: [PATCH] lxc-start: remove bad doc

We don't in fact exit(1) if this is not specified, and it wouldn't make
sense to, since most people probably don't specify this.

Signed-off-by: Tycho Andersen 
---
 src/lxc/tools/lxc_start.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c
index 4553cb5ca3..ee716f1f3f 100644
--- a/src/lxc/tools/lxc_start.c
+++ b/src/lxc/tools/lxc_start.c
@@ -88,7 +88,6 @@ Options :\n\
   -c, --console=FILE Use specified FILE for the container console\n\
   -L, --console-log=FILE Log container console output to FILE\n\
   -C, --close-all-fdsIf any fds are inherited, close them\n\
- If not specified, exit with failure instead\n\
  Note: --daemon implies --close-all-fds\n\
   -s, --define KEY=VAL   Assign VAL to configuration variable KEY\n\
   --share-[net|ipc|uts|pid]=NAME Share a namespace with another container 
or pid\n\
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [crio-lxc/master] create: pass right lxcpath to internal command

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/crio-lxc/pull/4

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
the lxcpath is not the rootfs of the container, but rather the base used
for calculating various things, such as the command socket path or default
rootfs/config locations.

Signed-off-by: Tycho Andersen 
From ad7e2201130520e354cbfed5b9d4f5fbe1b1d67f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 19 Apr 2019 10:24:56 -0600
Subject: [PATCH] create: pass right lxcpath to internal command

the lxcpath is not the rootfs of the container, but rather the base used
for calculating various things, such as the command socket path or default
rootfs/config locations.

Signed-off-by: Tycho Andersen 
---
 cmd/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/create.go b/cmd/create.go
index c867ef2..6c52d33 100644
--- a/cmd/create.go
+++ b/cmd/create.go
@@ -195,7 +195,7 @@ func startContainer(c *lxc.Container, spec *specs.Spec) 
error {
binary,
"internal",
c.Name(),
-   spec.Root.Path,
+   LXC_PATH,
filepath.Join(LXC_PATH, c.Name(), "config"),
)
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] execute: add a way to wait in lxc-init before spawning

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2939

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We're working on an implementation of crio-lxc. The crio spec thinks about
create and start slightly differently than liblxc does: create actually
creates the namespaces that the container will finally be run in to allow
them to be manipulated. It also allows passing the fds that the container
will use as stdin/stdout, etc. Alternatively, create() in lxc parlance is
just an on-disk operation, where start() creates the namespaces and spawns
the "real" init.

To support the crio semantics in liblxc, we introduce an option to have
lxc-init (blocking) write to a fifo, so that the crio implementation can
wait to read from the fifo until crio's start method is called. This means
that all the namespaces are around and can be manipulated, and the fds
passed at create() time are kept around and correct.

This abstraction is slightly leaky, since it requires the user to both set
up the fifo (e.g. bind mount it in, by setting a mount on liblxc) and then
say again where it is. A less leaky approach might be to just handle the
fifo setup inside liblxc entirely, but then we'd need a new
->execute_really_start() api call instead of just a new config option.

Signed-off-by: Michael McCracken 
Signed-off-by: Tycho Andersen 
From 14cbaf5d08e1ff0d349a9be27a803b04e52d2479 Mon Sep 17 00:00:00 2001
From: Michael McCracken 
Date: Mon, 15 Apr 2019 10:05:15 -0600
Subject: [PATCH] execute: add a way to wait in lxc-init before spawning

We're working on an implementation of crio-lxc. The crio spec thinks about
create and start slightly differently than liblxc does: create actually
creates the namespaces that the container will finally be run in to allow
them to be manipulated. It also allows passing the fds that the container
will use as stdin/stdout, etc. Alternatively, create() in lxc parlance is
just an on-disk operation, where start() creates the namespaces and spawns
the "real" init.

To support the crio semantics in liblxc, we introduce an option to have
lxc-init (blocking) write to a fifo, so that the crio implementation can
wait to read from the fifo until crio's start method is called. This means
that all the namespaces are around and can be manipulated, and the fds
passed at create() time are kept around and correct.

This abstraction is slightly leaky, since it requires the user to both set
up the fifo (e.g. bind mount it in, by setting a mount on liblxc) and then
say again where it is. A less leaky approach might be to just handle the
fifo setup inside liblxc entirely, but then we'd need a new
->execute_really_start() api call instead of just a new config option.

Signed-off-by: Michael McCracken 
Signed-off-by: Tycho Andersen 
---
 src/lxc/cmd/lxc_init.c | 38 --
 src/lxc/conf.h |  3 +++
 src/lxc/confile.c  | 26 ++
 src/lxc/execute.c  |  8 
 4 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/src/lxc/cmd/lxc_init.c b/src/lxc/cmd/lxc_init.c
index aca14d64b8..0ef5cd4ba8 100644
--- a/src/lxc/cmd/lxc_init.c
+++ b/src/lxc/cmd/lxc_init.c
@@ -74,9 +74,10 @@ static struct option long_options[] = {
{ "version", no_argument,   0, OPT_VERSION },
{ "quiet",   no_argument,   0, 'q' },
{ "lxcpath", required_argument, 0, 'P' },
+   { "exec-wait",   no_argument,   0, 'w' },
{ 0, 0, 0, 0   }
};
-static const char short_options[] = "n:hqo:l:P:";
+static const char short_options[] = "n:hqo:l:P:wk";
 
 struct arguments {
const struct option *options;
@@ -86,6 +87,8 @@ struct arguments {
bool quiet;
const char *lxcpath;
 
+   bool exec_wait;
+
/* remaining arguments */
char *const *argv;
int argc;
@@ -331,6 +334,33 @@ int main(int argc, char *argv[])
 
(void)ioctl(STDIN_FILENO, TIOCSCTTY, 0);
 
+   if (my_args.exec_wait) {
+   // wait by doing a blocking write to /syncfifo
+   struct stat fifo_stat;
+   if (stat("/syncfifo", _stat) == -1){
+   perror("stat");
+   exit(EXIT_FAILURE);
+   }
+   if (!S_ISFIFO(fifo_stat.st_mode)){
+   if (!my_args.quiet) fprintf(stderr, "/syncfifo 
exists but is not a fifo");
+   exit(EXIT_FAILURE);
+
+   }
+
+   int syncfifo_fd = open("/syncfifo", O_WRONLY | 
O_NOFOLLOW);
+   if (syncfifo_fd == -1){
+   

[lxc-devel] [lxc/master] lxccontainer: check do_lxcapi_init_pid() for failure

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2917

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This function can fail, because it uses the command API. If it does fail,
we get weird errors about not being able to open strange proc paths:

xc authyldapservice-c8020e20-e203-e852-90ef-4d378e8d1444 20190323163231.386 ERRORlxc_utils - utils.c:switch_to_ns:1184 - No such file or directory - failed to open /proc/-104/ns/net

So let's check for errors before then.

Signed-off-by: Tycho Andersen 
From caab004fcffbcfbb0b49472aef4b868aee6c7c4f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 25 Mar 2019 12:08:02 -0600
Subject: [PATCH] lxccontainer: check do_lxcapi_init_pid() for failure

This function can fail, because it uses the command API. If it does fail,
we get weird errors about not being able to open strange proc paths:

xc authyldapservice-c8020e20-e203-e852-90ef-4d378e8d1444 20190323163231.386 
ERRORlxc_utils - utils.c:switch_to_ns:1184 - No such file or directory - 
failed to open /proc/-104/ns/net

So let's check for errors before then.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxccontainer.c | 21 -
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index cba46092fe..72d87410f8 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2227,6 +2227,9 @@ static inline bool enter_net_ns(struct lxc_container *c)
 {
pid_t pid = do_lxcapi_init_pid(c);
 
+   if (pid < 0)
+   return false;
+
if ((geteuid() != 0 || (c->lxc_conf && 
!lxc_list_empty(>lxc_conf->id_map))) &&
(access("/proc/self/ns/user", F_OK) == 0))
if (!switch_to_ns(pid, "user"))
@@ -4642,6 +4645,7 @@ static bool add_remove_device_node(struct lxc_container 
*c, const char *src_path
struct stat st;
char value[LXC_MAX_BUFFER];
const char *p;
+   pid_t init_pid;
 
/* make sure container is running */
if (!do_lxcapi_is_running(c)) {
@@ -4668,7 +4672,13 @@ static bool add_remove_device_node(struct lxc_container 
*c, const char *src_path
if (ret < 0 || ret >= LXC_MAX_BUFFER)
return false;
 
-   if (!do_add_remove_node(do_lxcapi_init_pid(c), p, add, ))
+   init_pid = do_lxcapi_init_pid(c);
+   if (init_pid < 0) {
+   ERROR("Failed to get init pid");
+   return false;
+   }
+
+   if (!do_add_remove_node(init_pid, p, add, ))
return false;
 
/* add or remove device to/from cgroup access list */
@@ -4738,6 +4748,11 @@ static bool do_lxcapi_attach_interface(struct 
lxc_container *c,
}
 
init_pid = do_lxcapi_init_pid(c);
+   if (init_pid < 0) {
+   ERROR("Failed to get init pid");
+   goto err;
+   }
+
ret = lxc_netdev_move_by_name(ifname, init_pid, dst_ifname);
if (ret)
goto err;
@@ -4783,6 +4798,10 @@ static bool do_lxcapi_detach_interface(struct 
lxc_container *c,
pid_t init_pid;
 
init_pid = do_lxcapi_init_pid(c);
+   if (init_pid < 0) {
+   ERROR("Failed to get init pid");
+   _exit(EXIT_FAILURE);
+   }
if (!switch_to_ns(init_pid, "net")) {
ERROR("Failed to enter network namespace");
_exit(EXIT_FAILURE);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] CMD log macros: append a newline

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2750

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The log appenders for the regular log macros append a newline as necessary,
and the usage of these is written so it does to. So, let's add a newline.

Signed-off-by: Tycho Andersen 
From cd427d39e37f624df539520b070b99e55c1727f6 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 11 Dec 2018 09:51:31 -0700
Subject: [PATCH] CMD log macros: append a newline

The log appenders for the regular log macros append a newline as necessary,
and the usage of these is written so it does to. So, let's add a newline.

Signed-off-by: Tycho Andersen 
---
 src/lxc/log.h | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/lxc/log.h b/src/lxc/log.h
index 008df7a73..d4a89d616 100644
--- a/src/lxc/log.h
+++ b/src/lxc/log.h
@@ -452,16 +452,16 @@ ATTR_UNUSED static inline void LXC_##LEVEL(struct 
lxc_log_locinfo* locinfo,   \
ERROR("%s - " format, ptr, ##__VA_ARGS__); \
} while (0)
 
-#define CMD_SYSERROR(format, ...)\
-   do { \
-   lxc_log_strerror_r;  \
-   fprintf(stderr, "%s - " format, ptr, ##__VA_ARGS__); \
+#define CMD_SYSERROR(format, ...)  \
+   do {   \
+   lxc_log_strerror_r;\
+   fprintf(stderr, "%s - \n" format, ptr, ##__VA_ARGS__); \
} while (0)
 
-#define CMD_SYSINFO(format, ...)\
-   do {\
-   lxc_log_strerror_r; \
-   printf("%s - " format, ptr, ##__VA_ARGS__); \
+#define CMD_SYSINFO(format, ...)  \
+   do {  \
+   lxc_log_strerror_r;   \
+   printf("%s - \n" format, ptr, ##__VA_ARGS__); \
} while (0)
 
 extern int lxc_log_fd;
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] allow uidmaps to be parsed from alternate roots

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4676

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Since this code is handy, let's allow it to parse other roots on the
filesystem than just /.

Signed-off-by: Tycho Andersen 
From a1c243ae27ef2ab958fb35919e3231fa0e5630fc Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 21 Feb 2018 09:29:30 -0700
Subject: [PATCH] allow uidmaps to be parsed from alternate roots

Since this code is handy, let's allow it to parse other roots on the
filesystem than just /.

Signed-off-by: Tycho Andersen 
---
 lxd/main_activateifneeded.go   |  2 +-
 lxd/main_init_interactive.go   |  2 +-
 lxd/util/sys.go|  2 +-
 shared/idmap/idmapset_linux.go | 11 +++
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/lxd/main_activateifneeded.go b/lxd/main_activateifneeded.go
index 760478f0a..01806aef8 100644
--- a/lxd/main_activateifneeded.go
+++ b/lxd/main_activateifneeded.go
@@ -85,7 +85,7 @@ func (c *cmdActivateifneeded) Run(cmd *cobra.Command, args 
[]string) error {
}
 
// Load the idmap for unprivileged containers
-   d.os.IdmapSet, err = idmap.DefaultIdmapSet("")
+   d.os.IdmapSet, err = idmap.DefaultIdmapSet("", "")
if err != nil {
return err
}
diff --git a/lxd/main_init_interactive.go b/lxd/main_init_interactive.go
index 73ae50d59..24a940c76 100644
--- a/lxd/main_init_interactive.go
+++ b/lxd/main_init_interactive.go
@@ -586,7 +586,7 @@ your Linux distribution and run "lxd init" again afterwards.
 
 func (c *cmdInit) askDaemon(config *initData, d lxd.ContainerServer) error {
// Detect lack of uid/gid
-   idmapset, err := idmap.DefaultIdmapSet("")
+   idmapset, err := idmap.DefaultIdmapSet("", "")
if (err != nil || len(idmapset.Idmap) == 0 || idmapset.Usable() != nil) 
&& shared.RunningInUserNS() {
fmt.Printf(`
 We detected that you are running inside an unprivileged container.
diff --git a/lxd/util/sys.go b/lxd/util/sys.go
index 681ee79c2..2b227b2f8 100644
--- a/lxd/util/sys.go
+++ b/lxd/util/sys.go
@@ -40,7 +40,7 @@ func GetArchitectures() ([]int, error) {
 
 // GetIdmapSet reads the uid/gid allocation.
 func GetIdmapSet() *idmap.IdmapSet {
-   idmapSet, err := idmap.DefaultIdmapSet("")
+   idmapSet, err := idmap.DefaultIdmapSet("", "")
if err != nil {
logger.Warn("Error reading default uid/gid map", log.Ctx{"err": 
err.Error()})
logger.Warnf("Only privileged containers will be able to run")
diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index f284ea2a6..a13572410 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -660,7 +660,7 @@ func getFromProc(fname string) ([][]int64, error) {
 /*
  * Create a new default idmap
  */
-func DefaultIdmapSet(username string) (*IdmapSet, error) {
+func DefaultIdmapSet(rootfs string, username string) (*IdmapSet, error) {
idmapset := new(IdmapSet)
 
if username == "" {
@@ -672,9 +672,12 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
username = currentUser.Username
}
 
-   if shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") 
{
+   // Check if shadow's uidmap tools are installed
+   subuidPath := path.Join(rootfs, "/etc/subuid")
+   subgidPath := path.Join(rootfs, "/etc/subgid")
+   if shared.PathExists(subuidPath) && shared.PathExists(subgidPath) {
// Parse the shadow uidmap
-   entries, err := getFromShadow("/etc/subuid", username)
+   entries, err := getFromShadow(subuidPath, username)
if err != nil {
return nil, err
}
@@ -693,7 +696,7 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
}
 
// Parse the shadow gidmap
-   entries, err = getFromShadow("/etc/subgid", username)
+   entries, err = getFromShadow(subgidPath, username)
if err != nil {
return nil, err
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] use execveat syscall to exec lxc-init if supported

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2341

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
the execveat allows us to exec stuff via a fd so we don't have to bind
mount stuff in. see the comment about why we're using the syscall directly.

Signed-off-by: Tycho Andersen 
From fcc7bf2940b912dee51c1062e66893a2d7726f10 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 22 May 2018 23:33:17 +
Subject: [PATCH] use execveat syscall to exec lxc-init if supported

the execveat allows us to exec stuff via a fd so we don't have to bind
mount stuff in. see the comment about why we're using the syscall directly.

Signed-off-by: Tycho Andersen 
---
 src/lxc/conf.c| 47 +++
 src/lxc/execute.c | 19 ---
 src/lxc/start.h   |  1 +
 3 files changed, 56 insertions(+), 11 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 77c134e82..c87465c77 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3259,6 +3259,7 @@ static int lxc_execute_bind_init(struct lxc_handler 
*handler)
 
INFO("Bind mounted lxc.init.static into container at \"%s\"", path);
 out:
+   ((struct execute_args *)handler->data)->init_fd = -1;
((struct execute_args *)handler->data)->init_path = p;
return 0;
 }
@@ -,6 +3334,24 @@ static bool verify_start_hooks(struct lxc_conf *conf)
return true;
 }
 
+static bool execveat_supported(void)
+{
+#ifdef __NR_execveat
+   /*
+* We use the syscall here, because it was introduced in kernel 3.19,
+* while glibc got support for using the syscall much later, in 2.27.
+* We don't want to use glibc because it falls back to /proc, and the
+* container may not have /proc mounted depending on its configuration.
+*/
+   syscall(__NR_execveat, -1, "", NULL, NULL, AT_EMPTY_PATH);
+   if (errno == ENOSYS)
+   return false;
+   return true;
+#else
+   return false;
+#endif
+}
+
 int lxc_setup(struct lxc_handler *handler)
 {
int ret;
@@ -3393,10 +3412,30 @@ int lxc_setup(struct lxc_handler *handler)
return -1;
 
if (lxc_conf->is_execute) {
-   ret = lxc_execute_bind_init(handler);
-   if (ret < 0) {
-   ERROR("Failed to bind-mount the lxc init system");
-   return -1;
+   if (execveat_supported()) {
+   int fd;
+   char path[PATH_MAX];
+
+   ret = snprintf(path, PATH_MAX, SBINDIR 
"/init.lxc.static");
+   if (ret < 0 || ret >= PATH_MAX) {
+   ERROR("Path to init.lxc.static too long");
+   return -1;
+   }
+
+   fd = open(path, O_PATH | O_CLOEXEC);
+   if (fd < 0) {
+   SYSERROR("Unable to open lxc.init.static");
+   return -1;
+   }
+
+   ((struct execute_args *)handler->data)->init_fd = fd;
+   ((struct execute_args *)handler->data)->init_path = 
NULL;
+   } else {
+   ret = lxc_execute_bind_init(handler);
+   if (ret < 0) {
+   ERROR("Failed to bind-mount the lxc init 
system");
+   return -1;
+   }
}
}
 
diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index b436b6a3f..fdd639a2d 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -66,12 +66,10 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
goto out1;
}
 
-   if (!my_args->init_path) {
-   ERROR("Init path missing");
-   goto out2;
-   }
-
-   argv[i++] = my_args->init_path;
+   if (my_args->init_path)
+   argv[i++] = my_args->init_path;
+   else
+   argv[i++] = "lxc-init";
 
argv[i++] = "-n";
argv[i++] = (char *)handler->name;
@@ -117,7 +115,14 @@ static int execute_start(struct lxc_handler *handler, 
void* data)
 
NOTICE("Exec'ing \"%s\"", my_args->argv[0]);
 
-   execvp(argv[0], argv);
+   if (my_args->init_fd >= 0)
+#ifdef __NR_execveat
+   syscall(__NR_execveat, my_args->init_fd, "", argv, environ, 
AT_EMPTY_PATH);
+#else
+   ERROR("Set up execveat without syscall nr?");
+#endif
+   else
+   execvp(argv[0], argv);
SYSERROR("Failed to exec %s", argv[0]);
 
 out3:
diff --git a/src/lxc/start.h b/src/lxc/start.h
index 466dbf5f3..aaa731077 100644
--- a/src/lxc/start.h
+++ 

[lxc-devel] [lxc/master] execute: don't bind in lxc.init.static

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2311

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Instead of bind mounting in the init and execing it, let's just use
fexecve. There are at least two reasons to prefer this:

* We don't pollute the users rootfs (even if only temporarily). Even if we
  remove the file, it still changes the mtime of /tmp (or wherever we would
  bind it), which users who are sensitive to any changes in the rootfs will
  see.
* It allows us to get rid of a whole bunch of code.

Signed-off-by: Tycho Andersen 
From 0077e205dc6a774893c489cfb5c96ee9af275e34 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 9 May 2018 15:47:00 +
Subject: [PATCH] execute: don't bind in lxc.init.static

Instead of bind mounting in the init and execing it, let's just use
fexecve. There are at least two reasons to prefer this:

* We don't pollute the users rootfs (even if only temporarily). Even if we
  remove the file, it still changes the mtime of /tmp (or wherever we would
  bind it), which users who are sensitive to any changes in the rootfs will
  see.
* It allows us to get rid of a whole bunch of code.

Signed-off-by: Tycho Andersen 
---
 src/lxc/cmd/lxc_init.c | 28 
 src/lxc/conf.c | 75 -
 src/lxc/execute.c  |  9 ++---
 src/lxc/start.h|  2 +-
 src/lxc/utils.c| 90 --
 src/lxc/utils.h|  1 -
 6 files changed, 17 insertions(+), 188 deletions(-)

diff --git a/src/lxc/cmd/lxc_init.c b/src/lxc/cmd/lxc_init.c
index 228a2eb8b..a16745dcd 100644
--- a/src/lxc/cmd/lxc_init.c
+++ b/src/lxc/cmd/lxc_init.c
@@ -192,32 +192,6 @@ static void kill_children(pid_t pid)
fclose(f);
 }
 
-static void remove_self(void)
-{
-   int ret;
-   ssize_t n;
-   char path[MAXPATHLEN] = {0};
-
-   n = readlink("/proc/self/exe", path, sizeof(path));
-   if (n < 0 || n >= MAXPATHLEN) {
-   SYSERROR("Failed to readlink \"/proc/self/exe\"");
-   return;
-   }
-   path[n] = '\0';
-
-   ret = umount2(path, MNT_DETACH);
-   if (ret < 0) {
-   SYSERROR("Failed to unmount \"%s\"", path);
-   return;
-   }
-
-   ret = unlink(path);
-   if (ret < 0) {
-   SYSERROR("Failed to unlink \"%s\"", path);
-   return;
-   }
-}
-
 int main(int argc, char *argv[])
 {
int i, ret;
@@ -317,8 +291,6 @@ int main(int argc, char *argv[])
}
}
 
-   remove_self();
-
pid = fork();
if (pid < 0)
exit(EXIT_FAILURE);
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 253331160..5c6483cc7 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3203,64 +3203,6 @@ void remount_all_slave(void)
free(line);
 }
 
-static int lxc_execute_bind_init(struct lxc_handler *handler)
-{
-   int ret;
-   char *p;
-   char path[PATH_MAX], destpath[PATH_MAX];
-   struct lxc_conf *conf = handler->conf;
-
-   /* If init exists in the container, don't bind mount a static one */
-   p = choose_init(conf->rootfs.mount);
-   if (p) {
-   char *old = p;
-
-   p = strdup(old + strlen(conf->rootfs.mount));
-   free(old);
-   if (!p)
-   return -ENOMEM;
-
-   INFO("Found existing init at \"%s\"", p);
-   goto out;
-   }
-
-   ret = snprintf(path, PATH_MAX, SBINDIR "/init.lxc.static");
-   if (ret < 0 || ret >= PATH_MAX)
-   return -1;
-
-   if (!file_exists(path)) {
-   ERROR("The file \"%s\" does not exist on host", path);
-   return -1;
-   }
-
-   ret = snprintf(destpath, PATH_MAX, "%s" P_tmpdir "%s", 
conf->rootfs.mount, "/.lxc-init");
-   if (ret < 0 || ret >= PATH_MAX)
-   return -1;
-
-   if (!file_exists(destpath)) {
-   ret = mknod(destpath, S_IFREG | , 0);
-   if (ret < 0 && errno != EEXIST) {
-   SYSERROR("Failed to create dummy \"%s\" file as bind 
mount target", destpath);
-   return -1;
-   }
-   }
-
-   ret = safe_mount(path, destpath, "none", MS_BIND, NULL, 
conf->rootfs.mount);
-   if (ret < 0) {
-   SYSERROR("Failed to bind mount lxc.init.static into container");
-   return -1;
-   }
-
-   p = strdup(destpath + strlen(conf->rootfs.mount));
-   if (!p)
-   return -ENOMEM;
-
-   INFO("Bind mounted lxc.init.static into container at \"%s\"", path);
-out:
-   ((struct execute_args *)handler->data)->init_path = p;
-   return 0;
-}
-
 /* This 

[lxc-devel] [lxc/master] add some TRACE/ERROR reporting

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2308

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The errors in execute_start are important because nothing actually prints
out what error if any there was in these cases, so you're left with an
empty log.

The TRACE logs are simply to tell you which version of start lxc chose to
invoke: exec or start.

Signed-off-by: Tycho Andersen 
From 5219de875fb987b40c3d25ed5d7cbb839bfca31f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 8 May 2018 09:43:19 -0600
Subject: [PATCH] add some TRACE/ERROR reporting

The errors in execute_start are important because nothing actually prints
out what error if any there was in these cases, so you're left with an
empty log.

The TRACE logs are simply to tell you which version of start lxc chose to
invoke: exec or start.

Signed-off-by: Tycho Andersen 
---
 src/lxc/execute.c | 9 +++--
 src/lxc/start.c   | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index 0f789e1b2..6248e2d67 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -58,11 +58,15 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
argc_add += 2;
 
argv = malloc((argc + argc_add) * sizeof(*argv));
-   if (!argv)
+   if (!argv) {
+   SYSERROR("Allocating init args failed");
goto out1;
+   }
 
-   if (!my_args->init_path)
+   if (!my_args->init_path) {
+   ERROR("Init path missing?");
goto out2;
+   }
 
argv[i++] = my_args->init_path;
 
@@ -142,6 +146,7 @@ int lxc_execute(const char *name, char *const argv[], int 
quiet,
if (lxc_check_inherited(handler->conf, false, 
>conf->maincmd_fd, 1))
return -1;
 
+   TRACE("Doing lxc_execute");
handler->conf->is_execute = 1;
return __lxc_start(name, handler, _start_ops, , lxcpath,
   backgrounded, error_num);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index d7f079979..ce5cb3366 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1971,6 +1971,7 @@ int lxc_start(const char *name, char *const argv[], 
struct lxc_handler *handler,
.argv = argv,
};
 
+   TRACE("Doing lxc_start");
return __lxc_start(name, handler, _ops, _arg, lxcpath, 
backgrounded, error_num);
 }
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] fix logic for execute log file

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2303

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.

Signed-off-by: Tycho Andersen 
From cd90db2c0ec7948a9a52dfc83d3a2b92ed522511 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 3 May 2018 18:32:19 +
Subject: [PATCH] fix logic for execute log file

The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.

Signed-off-by: Tycho Andersen 
---
 src/lxc/execute.c | 29 +
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index c7320ab2d..9fe1af0eb 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -21,11 +21,13 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#define _GNU_SOURCE
 #include 
 #include 
 #include 
 #include 
 #include 
+#include 
 
 #include "conf.h"
 #include "log.h"
@@ -36,9 +38,9 @@ lxc_log_define(lxc_execute, lxc_start);
 
 static int execute_start(struct lxc_handler *handler, void* data)
 {
-   int j, i = 0;
+   int j, i = 0, log = -1;
struct execute_args *my_args = data;
-   char **argv;
+   char **argv, *logfd;
int argc = 0, argc_add;
 
while (my_args->argv[argc++]);
@@ -69,9 +71,25 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
argv[i++] = (char 
*)lxc_log_priority_to_string(lxc_log_get_level());
}
 
-   if (handler->conf->logfile) {
+   if (current_config->logfd != -1 || lxc_log_fd != -1) {
+   int to_dup = current_config->logfd;
+
+   if (current_config->logfd == -1)
+   to_dup = lxc_log_fd;
+
+   log = dup(to_dup);
+   if (log < 0) {
+   SYSERROR("dup of log fd failed");
+   goto out2;
+   }
+
+   if (asprintf(, "/proc/1/fd/%d", log) < 0) {
+   ERROR("Couldn't allocate memory for log string");
+   goto out3;
+   }
+
argv[i++] = "-o";
-   argv[i++] = (char *)handler->conf->logfile;
+   argv[i++] = logfd;
}
 
if (my_args->quiet)
@@ -92,6 +110,9 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
execvp(argv[0], argv);
SYSERROR("Failed to exec %s", argv[0]);
 
+   free(logfd);
+out3:
+   close(log);
 out2:
free(argv);
 out1:
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] fix signal sending in lxc.init

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2258

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The problem here is that these two clauses were ordered backwards: we first
check if the signal came from not the init pid, and if it did, then we give
a notice and return. The comment notes that this is intended to protect
against SIGCHLD, but we don't in fact know if the signal is a SIGCHLD yet,
because that's tested in the next hunk.

The symptom is that if I e.g. send SIGTERM from the outside world to the
container init, it ignores it and gives this notice. If we re-order these
clauses, it forwards non SIGCHLD signals, and ignores SIGCHLD signals from
things that aren't the real container process.

Signed-off-by: Tycho Andersen 
From 9cb943843a70cef5478d224615ca53c315020ef3 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 4 Apr 2018 17:45:29 -0600
Subject: [PATCH] fix signal sending in lxc.init

The problem here is that these two clauses were ordered backwards: we first
check if the signal came from not the init pid, and if it did, then we give
a notice and return. The comment notes that this is intended to protect
against SIGCHLD, but we don't in fact know if the signal is a SIGCHLD yet,
because that's tested in the next hunk.

The symptom is that if I e.g. send SIGTERM from the outside world to the
container init, it ignores it and gives this notice. If we re-order these
clauses, it forwards non SIGCHLD signals, and ignores SIGCHLD signals from
things that aren't the real container process.

Signed-off-by: Tycho Andersen 
---
 src/lxc/start.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index f66f50a7b..d7f079979 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -380,6 +380,12 @@ static int signal_handler(int fd, uint32_t events, void 
*data,
return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
}
 
+   if (siginfo.ssi_signo != SIGCHLD) {
+   kill(hdlr->pid, siginfo.ssi_signo);
+   INFO("Forwarded signal %d to pid %d", siginfo.ssi_signo, 
hdlr->pid);
+   return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
+   }
+
/* More robustness, protect ourself from a SIGCHLD sent
 * by a process different from the container init.
 */
@@ -389,12 +395,6 @@ static int signal_handler(int fd, uint32_t events, void 
*data,
return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
}
 
-   if (siginfo.ssi_signo != SIGCHLD) {
-   kill(hdlr->pid, siginfo.ssi_signo);
-   INFO("Forwarded signal %d to pid %d", siginfo.ssi_signo, 
hdlr->pid);
-   return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
-   }
-
if (siginfo.ssi_code == CLD_STOPPED) {
INFO("Container init process was stopped");
return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] remove leading whitespace from log files

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2230

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This has annoyed me for a long time, 3.0 seems like the time to fix it :).

I think the way that the log prefix was intended to be used was perhaps a
dynamic prefix per file, but we don't do that today; we include the
filename later in the log message. Instead, we use it as the tool name,
which for liblxc is always "lxc", but could also be things like
"lxc-cgroup" or whatever. There is absolutely no reason to pad this, since
it is always the same for every log file (in fact, we could probably get
rid of the prefix all together, but that seems slightly more drastic).

Instead, let's just drop this padding. Hopefully this will save thousands
of hours of slight annoyance and right scrolling in various pastebins.

Signed-off-by: Tycho Andersen 
From 512845bc109bb11009f4b7c1dd5705e2e4675b80 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 22 Mar 2018 09:49:08 -0600
Subject: [PATCH] remove leading whitespace from log files

This has annoyed me for a long time, 3.0 seems like the time to fix it :).

I think the way that the log prefix was intended to be used was perhaps a
dynamic prefix per file, but we don't do that today; we include the
filename later in the log message. Instead, we use it as the tool name,
which for liblxc is always "lxc", but could also be things like
"lxc-cgroup" or whatever. There is absolutely no reason to pad this, since
it is always the same for every log file (in fact, we could probably get
rid of the prefix all together, but that seems slightly more drastic).

Instead, let's just drop this padding. Hopefully this will save thousands
of hours of slight annoyance and right scrolling in various pastebins.

Signed-off-by: Tycho Andersen 
---
 src/lxc/log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/log.c b/src/lxc/log.c
index b62aeb8d2..82ae99119 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -282,7 +282,7 @@ static int log_append_logfile(const struct lxc_log_appender 
*appender,
return 0;
 
n = snprintf(buffer, sizeof(buffer),
-   "%15s%s%s %s %-8s %s - %s:%s:%d - ",
+   "%s%s%s %s %-8s %s - %s:%s:%d - ",
log_prefix,
log_vmname ? " " : "",
log_vmname ? log_vmname : "",
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] fix handler use-after-free

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2221

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.

Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.

Closes #2218
Closes #2219

Reported-by: Felix Abecassis 
Signed-off-by: Tycho Andersen 
From a3b4f3d68054eb31b86a7192bfc8ffabba011bff Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 15 Mar 2018 15:29:27 +
Subject: [PATCH] fix handler use-after-free

The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.

Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.

Closes #2218
Closes #2219

Reported-by: Felix Abecassis 
Signed-off-by: Tycho Andersen 
---
 src/lxc/execute.c  | 4 ++--
 src/lxc/lxc.h  | 4 ++--
 src/lxc/lxccontainer.c | 5 ++---
 src/lxc/start.c| 8 +---
 src/lxc/start.h| 3 ++-
 5 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index 40856a337..6adef9bf2 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -120,7 +120,7 @@ static struct lxc_operations execute_start_ops = {
 
 int lxc_execute(const char *name, char *const argv[], int quiet,
struct lxc_handler *handler, const char *lxcpath,
-   bool backgrounded)
+   bool backgrounded, int *error_num)
 {
struct execute_args args = {.argv = argv, .quiet = quiet};
 
@@ -129,5 +129,5 @@ int lxc_execute(const char *name, char *const argv[], int 
quiet,
 
handler->conf->is_execute = 1;
return __lxc_start(name, handler, _start_ops, , lxcpath,
-  backgrounded);
+  backgrounded, error_num);
 }
diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h
index c9064ff08..d3c08ddf2 100644
--- a/src/lxc/lxc.h
+++ b/src/lxc/lxc.h
@@ -54,7 +54,7 @@ struct lxc_handler;
  */
 extern int lxc_start(const char *name, char *const argv[],
 struct lxc_handler *handler, const char *lxcpath,
-bool backgrounded);
+bool backgrounded, int *error_num);
 
 /*
  * Start the specified command inside an application container
@@ -67,7 +67,7 @@ extern int lxc_start(const char *name, char *const argv[],
  */
 extern int lxc_execute(const char *name, char *const argv[], int quiet,
   struct lxc_handler *handler, const char *lxcpath,
-  bool backgrounded);
+  bool backgrounded, int *error_num);
 
 /*
  * Close the fd associated with the monitoring
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index ede0be58f..ecb770f48 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1066,10 +1066,9 @@ static bool do_lxcapi_start(struct lxc_container *c, int 
useinit, char * const a
}
 
if (useinit)
-   ret = lxc_execute(c->name, argv, 1, handler, c->config_path, 
daemonize);
+   ret = lxc_execute(c->name, argv, 1, handler, c->config_path, 
daemonize, >error_num);
else
-   ret = lxc_start(c->name, argv, handler, c->config_path, 
daemonize);
-   c->error_num = handler->exit_status;
+   ret = lxc_start(c->name, argv, handler, c->config_path, 
daemonize, >error_num);
 
if (conf->reboot == 1) {
INFO("Container requested reboot");
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4e2f8a433..c728a62be 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1824,7 +1824,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 
 int __lxc_start(const char *name, struct lxc_handler *handler,
struct lxc_operations* ops, void *data, const char *lxcpath,
-   bool backgrounded)
+   bool backgrounded, int *error_num)
 {
int ret, status;
struct lxc_conf *conf = handler->conf;
@@ -1920,6 +1920,8 @@ int __lxc_start(const char *name, struct lxc_handler 
*handler,
 
lxc_monitor_send_exit_code(name, status, handler->lxcpath);
lxc_error_set_and_log(handler->pid, 

[lxc-devel] [lxc/master] cgroups: don't escape if we're not real root

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2212

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
If we're host unpriv but root in our userns, we can't really escape
cgroups. Let's switch the cgroup escape test to reflect this.

Signed-off-by: Tycho Andersen 
From 8d961e28f1d759669b477a659cbb694aaa2af915 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 13 Mar 2018 15:57:10 +
Subject: [PATCH] cgroups: don't escape if we're not real root

If we're host unpriv but root in our userns, we can't really escape
cgroups. Let's switch the cgroup escape test to reflect this.

Signed-off-by: Tycho Andersen 
---
 src/lxc/cgroups/cgfsng.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 10c7ab2cf..f337be449 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1368,7 +1368,7 @@ static char *cg_unified_get_current_cgroup(void)
bool will_escape;
char *copy = NULL;
 
-   will_escape = (geteuid() == 0);
+   will_escape = !am_host_unpriv();
if (will_escape)
basecginfo = read_file("/proc/1/cgroup");
else
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] usernsexec: init log fd

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2211

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
lxc-usernsexec uses some functions (e.g. lxc_map_ids()), which are part of
the lxc library and thus use the WARN etc. macros to emit log messages.
However, it doesn't initialize the log in any way, so these messages go
into the ether.

lxc-usernsexec currently has no log parameters, so let's just log these to
stderr. Someone can do something fancier later if they want.

Signed-off-by: Tycho Andersen 
From 2d22b22dd4840e141916e64c697e0a43c7b93c8c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 12 Mar 2018 09:39:37 -0600
Subject: [PATCH] usernsexec: init log fd

lxc-usernsexec uses some functions (e.g. lxc_map_ids()), which are part of
the lxc library and thus use the WARN etc. macros to emit log messages.
However, it doesn't initialize the log in any way, so these messages go
into the ether.

lxc-usernsexec currently has no log parameters, so let's just log these to
stderr. Someone can do something fancier later if they want.

Signed-off-by: Tycho Andersen 
---
 src/lxc/cmd/lxc_usernsexec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/cmd/lxc_usernsexec.c b/src/lxc/cmd/lxc_usernsexec.c
index 766bd72e6..725796270 100644
--- a/src/lxc/cmd/lxc_usernsexec.c
+++ b/src/lxc/cmd/lxc_usernsexec.c
@@ -53,6 +53,8 @@
 #define MS_SLAVE (1 << 19)
 #endif
 
+extern int lxc_log_fd;
+
 int unshare(int flags);
 
 static void usage(const char *name)
@@ -274,6 +276,8 @@ int main(int argc, char *argv[])
int pipe1[2],  /* child tells parent it has unshared */
pipe2[2];  /* parent tells child it is mapped and may proceed */
 
+   lxc_log_fd = STDERR_FILENO;
+
memset(ttyname0, '\0', sizeof(ttyname0));
memset(ttyname1, '\0', sizeof(ttyname1));
memset(ttyname2, '\0', sizeof(ttyname2));
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] idmap: get rid of new{u,g}idmap checks

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4318

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
I believe these checks are intended as a heuristic to indicate whether or
not the current userspace understands idmaps. However, it is perfectly
possible to have a userspace that knows about /etc/subuid, but doesn't have
newuidmap installed. In fact, on my recent upgrade to bionic, it helpfully
uninstalled newuidmap, which is how I noticed this in the first place.

Given that there are additional checks to see if /etc/uidmap actually
exists, we should just go with those and assume people know what they're
doing.

Signed-off-by: Tycho Andersen 
From 79388e509f7e48f5135250ba07e3d6e3b98465bf Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 9 Mar 2018 16:00:01 -0700
Subject: [PATCH] idmap: get rid of new{u,g}idmap checks

I believe these checks are intended as a heuristic to indicate whether or
not the current userspace understands idmaps. However, it is perfectly
possible to have a userspace that knows about /etc/subuid, but doesn't have
newuidmap installed. In fact, on my recent upgrade to bionic, it helpfully
uninstalled newuidmap, which is how I noticed this in the first place.

Given that there are additional checks to see if /etc/uidmap actually
exists, we should just go with those and assume people know what they're
doing.

Signed-off-by: Tycho Andersen 
---
 shared/idmap/idmapset_linux.go | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index 7e55d87b5..f284ea2a6 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -4,7 +4,6 @@ import (
"bufio"
"fmt"
"os"
-   "os/exec"
"os/user"
"path"
"path/filepath"
@@ -673,10 +672,7 @@ func DefaultIdmapSet(username string) (*IdmapSet, error) {
username = currentUser.Username
}
 
-   // Check if shadow's uidmap tools are installed
-   newuidmap, _ := exec.LookPath("newuidmap")
-   newgidmap, _ := exec.LookPath("newgidmap")
-   if newuidmap != "" && newgidmap != "" && 
shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") {
+   if shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") 
{
// Parse the shadow uidmap
entries, err := getFromShadow("/etc/subuid", username)
if err != nil {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] fix userns helper error handling

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2149

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
In both of these cases if there is actually an error, we won't close the
pipe and the api call will hang. Instead, let's be sure to close the pipe
before waiting, so that it doesn't hang.

Signed-off-by: Tycho Andersen 
From ee1b16bcbd6d570bbfde9d7cefd960cddedbbf6e Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 9 Feb 2018 13:26:31 +
Subject: [PATCH] fix userns helper error handling

In both of these cases if there is actually an error, we won't close the
pipe and the api call will hang. Instead, let's be sure to close the pipe
before waiting, so that it doesn't hang.

Signed-off-by: Tycho Andersen 
---
 src/lxc/conf.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 1035c6fef..7d2efa209 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4003,14 +4003,14 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void 
*), void *data,
}
 
 on_error:
-   /* Wait for child to finish. */
-   if (pid > 0)
-   status = wait_for_pid(pid);
-
if (p[0] != -1)
close(p[0]);
close(p[1]);
 
+   /* Wait for child to finish. */
+   if (pid > 0)
+   status = wait_for_pid(pid);
+
if (status < 0)
ret = -1;
 
@@ -4178,6 +4178,10 @@ int userns_exec_full(struct lxc_conf *conf, int 
(*fn)(void *), void *data,
}
 
 on_error:
+   if (p[0] != -1)
+   close(p[0]);
+   close(p[1]);
+
/* Wait for child to finish. */
if (pid > 0)
ret = wait_for_pid(pid);
@@ -4189,10 +4193,6 @@ int userns_exec_full(struct lxc_conf *conf, int 
(*fn)(void *), void *data,
if (host_gid_map && (host_gid_map != container_root_gid))
free(host_gid_map);
 
-   if (p[0] != -1)
-   close(p[0]);
-   close(p[1]);
-
return ret;
 }
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] signal child in case of failure when running in userns

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2139

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
In the case where we fail (e.g. if there are no subuids for the current
user) to run something in the userns, let's signal the child so that they
can exit. Simply closing the pipe causes a hang:

int main(void)
{
	int p[2];
	pid_t pid;
	int status;

	if (pipe(p) < 0) {
		perror("pipe");
		return 1;
	}

	pid = fork();
	if (pid < 0) {
		perror("fork");
		return 1;
	}

	if (pid == 0) {
		char c;

		if (read(p[0], , 1) != 1) {
			perror("read");
			exit(1);
		}

		exit(0);
	}

	close(p[1]);

	if (waitpid(pid, , 0) != pid) {
		perror("waitpid");
		return 1;
	}

	if (!WIFEXITED(status) || WEXITSTATUS(status)) {
		printf("wrong return code\n");
		return 1;
	}

	return 0;
}

How did this ever work?

Signed-off-by: Tycho Andersen 
From 59e9407dcfade3b967191db69772db3852342fa3 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 8 Feb 2018 09:52:05 +0100
Subject: [PATCH] signal child in case of failure when running in userns

In the case where we fail (e.g. if there are no subuids for the current
user) to run something in the userns, let's signal the child so that they
can exit. Simply closing the pipe causes a hang:

int main(void)
{
int p[2];
pid_t pid;
int status;

if (pipe(p) < 0) {
perror("pipe");
return 1;
}

pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}

if (pid == 0) {
char c;

if (read(p[0], , 1) != 1) {
perror("read");
exit(1);
}

exit(0);
}

close(p[1]);

if (waitpid(pid, , 0) != pid) {
perror("waitpid");
return 1;
}

if (!WIFEXITED(status) || WEXITSTATUS(status)) {
printf("wrong return code\n");
return 1;
}

return 0;
}

How did this ever work?

Signed-off-by: Tycho Andersen 
---
 src/lxc/conf.c | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 9b6868940..689a2b29e 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3737,6 +3737,9 @@ static int run_userns_fn(void *data)
/* Close read end of the pipe. */
close(d->p[0]);
 
+   if (c == '0')
+   return 1;
+
if (d->fn_name)
TRACE("calling function \"%s\"", d->fn_name);
/* Call function to run. */
@@ -4026,11 +4029,11 @@ int userns_exec_full(struct lxc_conf *conf, int 
(*fn)(void *), void *data,
int p[2];
struct id_map *map;
struct lxc_list *cur;
-   char c = '1';
int ret = -1;
struct lxc_list *idmap = NULL, *tmplist = NULL;
struct id_map *container_root_uid = NULL, *container_root_gid = NULL,
  *host_uid_map = NULL, *host_gid_map = NULL;
+   bool error = true;
 
ret = pipe(p);
if (ret < 0) {
@@ -4172,12 +4175,19 @@ int userns_exec_full(struct lxc_conf *conf, int 
(*fn)(void *), void *data,
}
 
/* Tell child to proceed. */
-   if (write(p[1], , 1) != 1) {
+   if (write(p[1], "1", 1) != 1) {
SYSERROR("failed telling child process \"%d\" to proceed", pid);
goto on_error;
}
 
+   error = false;
+
 on_error:
+   /* Try to wake the child up and tell them we failed. */
+   if (error && write(p[1], "0", 1) != 1) {
+   ERROR("error telling the child about our error");
+   }
+
/* Wait for child to finish. */
if (pid > 0)
ret = wait_for_pid(pid);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] lxc-init: use SIGKILL after alarm timeout

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2129

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
d76e3e1 inadvertently switched the alarm timeout from sigterm to sigkill.
We really want sigkill here, so let's bring it back.

Signed-off-by: Tycho Andersen 
From 60e324aa5b9aa75c41d750f975cd220ec95c854b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 5 Feb 2018 14:13:18 +
Subject: [PATCH] lxc-init: use SIGKILL after alarm timeout

d76e3e1 inadvertently switched the alarm timeout from sigterm to sigkill.
We really want sigkill here, so let's bring it back.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxc_init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 594b00094..f935f8f21 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -408,7 +408,7 @@ int main(int argc, char *argv[])
if (mypid != 1) {
kill_children(mypid);
} else {
-   ret = kill(-1, SIGTERM);
+   ret = kill(-1, SIGKILL);
if (ret < 0)
DEBUG("%s - Failed to send SIGTERM to "
  "all children", strerror(errno));
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] Unpriv fixups

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2111

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Hey guys,

I'm doing something slightly weird, running lxc inside of lxc-usernsexec. I uncovered some bugs. Take a look.
From 9650c735c7dd56bb5200b20f85e5b6b0482edb7b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 26 Jan 2018 17:43:12 +
Subject: [PATCH 1/2] better check for lock dir

Consider the case where we're running in a user namespace but in the host's
mount ns with the host's filesystem (something like
lxc-usernsexec ... lxc-execute ...), in this case, we'll be euid 0, but we
can't actually write to /run. Let's improve this locking check to make sure
we can actually write to /run before we decide to actually use it as our
locking dir.

Signed-off-by: Tycho Andersen 
---
 src/lxc/utils.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 0b8841630..c7812fdac 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -245,8 +245,13 @@ char *get_rundir()
 {
char *rundir;
const char *homedir;
+   struct stat sb;
+
+   if (stat(RUNTIME_PATH, ) < 0) {
+   return NULL;
+   }
 
-   if (geteuid() == 0) {
+   if (geteuid() == sb.st_uid || getegid() == sb.st_gid) {
rundir = strdup(RUNTIME_PATH);
return rundir;
}

From 4fbe33a47b7f280e79b2022326172c1cd5f4385c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 26 Jan 2018 21:21:51 +
Subject: [PATCH 2/2] better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.

Signed-off-by: Tycho Andersen 
---
 src/lxc/utils.h | 30 --
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index f8cf26fbf..eb85871f1 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -427,8 +427,34 @@ extern int lxc_strmunmap(void *addr, size_t length);
 /* initialize rand with urandom */
 extern int randseed(bool);
 
-inline static bool am_unpriv(void) {
-   return geteuid() != 0;
+inline static bool am_unpriv(void)
+{
+   FILE *f;
+   uid_t user, host, count;
+   int ret;
+
+   if (geteuid() != 0)
+   return true;
+
+   /* Now: are we in a user namespace? Because then we're also
+* unprivileged.
+*/
+   f = fopen("/proc/self/uid_map", "r");
+   if (!f) {
+   //SYSERROR("couldn't open uid_map");
+   return false;
+   }
+
+   ret = fscanf(f, "%u %u %u", , , );
+   fclose(f);
+   if (ret != 3) {
+   //ERROR("Wrong number of entries (%d) in uid_map?", ret);
+   return false;
+   }
+
+   if (user != 0 || host != 0 || count != UINT32_MAX)
+   return true;
+   return false;
 }
 
 /*
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] unlink lxc-init

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2095

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
It's sort of an implementation detail that this exists at all, and we
should probably not pollute the container's mount tables or FS with this.

Signed-off-by: Tycho Andersen 
From 58fb9c8efe1b4594379e35e1c9b6ced0dd550b52 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 20 Dec 2017 17:52:38 +
Subject: [PATCH] unlink lxc-init

It's sort of an implementation detail that this exists at all, and we
should probably not pollute the container's mount tables or FS with this.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxc_init.c | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 78811de4b..29394c80d 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -195,6 +195,30 @@ static void kill_children(pid_t pid)
fclose(f);
 }
 
+static void remove_self(void)
+{
+   char path[PATH_MAX];
+   ssize_t n;
+
+   n = readlink("/proc/self/exe", path, sizeof(path));
+   if (n < 0) {
+   SYSERROR("Failed to readlink \"/proc/self/exe\"");
+   return;
+   }
+
+   path[n] = 0;
+
+   if (umount2(path, MNT_DETACH) < 0) {
+   SYSERROR("Failed to unmount \"%s\"", path);
+   return;
+   }
+
+   if (unlink(path) < 0) {
+   SYSERROR("Failed to unlink \"%s\"", path);
+   return;
+   }
+}
+
 int main(int argc, char *argv[])
 {
int i, ret;
@@ -296,6 +320,8 @@ int main(int argc, char *argv[])
 
lxc_setup_fs();
 
+   remove_self();
+
pid = fork();
if (pid < 0)
exit(EXIT_FAILURE);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [go-lxc/v2] add ErrorNum to return the last error from the container

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/go-lxc/pull/99

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
As it stands right now, there is no way to figure out what the exit code of
a container spawned by StartExecute() was. liblxc stores the value in
c->error_num, so let's make that accessible.

Signed-off-by: Tycho Andersen 
From 1b32b677d52eb5bc5551c1b7d70f2ac001470d1f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 17 Jan 2018 16:00:31 +
Subject: [PATCH] add ErrorNum to return the last error from the container

As it stands right now, there is no way to figure out what the exit code of
a container spawned by StartExecute() was. liblxc stores the value in
c->error_num, so let's make that accessible.

Signed-off-by: Tycho Andersen 
---
 container.go  | 6 ++
 lxc-binding.c | 9 +
 lxc-binding.h | 1 +
 3 files changed, 16 insertions(+)

diff --git a/container.go b/container.go
index 174bd4b..3041c6b 100644
--- a/container.go
+++ b/container.go
@@ -1892,3 +1892,9 @@ func (c *Container) ConsoleLog(opt ConsoleLogOptions) 
([]byte, error) {
 
return C.GoBytes(unsafe.Pointer(cl.data), numBytes), nil
 }
+
+// ErrorNum returns the error_num field of the container.
+func (c *Container) ErrorNum() int {
+   cError := C.go_lxc_error_num(c.container)
+   return int(cError)
+}
diff --git a/lxc-binding.c b/lxc-binding.c
index 2be6c97..a1b5b19 100644
--- a/lxc-binding.c
+++ b/lxc-binding.c
@@ -454,6 +454,15 @@ bool go_lxc_config_item_is_supported(const char *key)
 #endif
 }
 
+int go_lxc_error_num(struct lxc_container *c)
+{
+#if VERSION_AT_LEAST(2, 1, 0)
+   return c->error_num;
+#else
+   return -1;
+#endif
+}
+
 int go_lxc_console_log(struct lxc_container *c, struct lxc_console_log *log) {
 #if VERSION_AT_LEAST(3, 0, 0)
return c->console_log(c, log);
diff --git a/lxc-binding.h b/lxc-binding.h
index 7170748..05131a1 100644
--- a/lxc-binding.h
+++ b/lxc-binding.h
@@ -124,3 +124,4 @@ struct lxc_console_log {
 #endif
 
 extern int go_lxc_console_log(struct lxc_container *c, struct lxc_console_log 
*log);
+extern int go_lxc_error_num(struct lxc_container *c);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] Propagate exit code for app containers

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2094

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Unfortunately, liblxc didn't do a very good job of keeping track of the exit codes of the tasks it spawned. Here's a series that addresses that. See patch notes for explanations on individual patches, hopefully they present clear arguments, and this will be mostly uncontroversial :)
From 3a9e949f6d4cad085d645b2efbc126cdbc48773a Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 19 Jan 2018 00:50:39 +
Subject: [PATCH 1/6] start: don't log stop/continue for non-init processes

This non-init forwarding check should really be before all the log messages
about "init continued" or "init stopped", since they will otherwise lie
about some process that wasn't init being stopped or continued.

Signed-off-by: Tycho Andersen 
---
 src/lxc/start.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 89a194fd1..8b4144239 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -323,6 +323,14 @@ static int signal_handler(int fd, uint32_t events, void 
*data,
if (ret == 0 && info.si_pid == hdlr->pid)
hdlr->init_died = true;
 
+   /* More robustness, protect ourself from a SIGCHLD sent
+* by a process different from the container init.
+*/
+   if (siginfo.ssi_pid != hdlr->pid) {
+   NOTICE("Received %d from pid %d instead of container init %d.", 
siginfo.ssi_signo, siginfo.ssi_pid, hdlr->pid);
+   return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
+   }
+
if (siginfo.ssi_signo != SIGCHLD) {
kill(hdlr->pid, siginfo.ssi_signo);
INFO("Forwarded signal %d to pid %d.", siginfo.ssi_signo, 
hdlr->pid);
@@ -337,14 +345,6 @@ static int signal_handler(int fd, uint32_t events, void 
*data,
return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
}
 
-   /* More robustness, protect ourself from a SIGCHLD sent
-* by a process different from the container init.
-*/
-   if (siginfo.ssi_pid != hdlr->pid) {
-   NOTICE("Received SIGCHLD from pid %d instead of container init 
%d.", siginfo.ssi_pid, hdlr->pid);
-   return hdlr->init_died ? LXC_MAINLOOP_CLOSE : 0;
-   }
-
DEBUG("Container init process %d exited.", hdlr->pid);
return LXC_MAINLOOP_CLOSE;
 }

From 19cfa02c4c7bd29cdf10462878d06d025fcc3d27 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 19 Jan 2018 03:20:08 +
Subject: [PATCH 2/6] fix lxc_error_set_and_log to match the docs

The documentation for this function says if the task was killed by a
signal, the return code will be 128+n, where n is the signal number. Let's
make that actually true.

(We'll use this behavior in later patches.)

Signed-off-by: Tycho Andersen 
---
 src/lxc/error.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/error.c b/src/lxc/error.c
index 81d6a376e..9147a6afb 100644
--- a/src/lxc/error.c
+++ b/src/lxc/error.c
@@ -52,6 +52,7 @@ extern int  lxc_error_set_and_log(int pid, int status)
if (WIFSIGNALED(status)) {
int signal = WTERMSIG(status);
INFO("Child <%d> ended on signal (%d)", pid, signal);
+   ret = 128 + signal;
}
 
return ret;

From 4f4530faa742e39fb0e0cd3d08de07f36e2b0fc8 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 19 Jan 2018 03:21:10 +
Subject: [PATCH 3/6] lxc.init: correctly exit with the app's error code

Based on the comments in the code (and the have_status flag), the intent
here (and IMO, the desired behavior) should be for init.lxc to propagate
the actual exit code from the real application process up through.
Otherwise, it is swallowed and nobody can access it.

The bug being fixed here is that ret held the correct exit code, but when
it went around the loop again (to wait for other children) ret is
clobbered. Let's save the desired exit status somewhere else, so it can't
get clobbered, and we propagate things correctly.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxc_init.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 2879a9399..78811de4b 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -202,7 +202,7 @@ int main(int argc, char *argv[])
struct sigaction act;
struct lxc_log log;
sigset_t mask, omask;
-   int have_status = 0, shutdown = 0;
+   int have_status = 0, exit_with = 1, shutdown = 0;
 
if (arguments_parse(_args, argc, argv))
exit(EXIT_FAILURE);
@@ -420,14 +420,14 @@ int 

[lxc-devel] [lxd/master] drop \n from IdmapSet's ToLxcString

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4149

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
1. We just strip the newline everywhere we use this anyways, so we can drop
   the stripping code too.
2. liblxc itself doesn't even accept this string with a newline on the end,
   so it's not even an LxcString :)

Signed-off-by: Tycho Andersen 
From 422751d77dfa13363552caac756de46910ae780c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 8 Jan 2018 17:01:48 -0700
Subject: [PATCH] drop \n from IdmapSet's ToLxcString

1. We just strip the newline everywhere we use this anyways, so we can drop
   the stripping code too.
2. liblxc itself doesn't even accept this string with a newline on the end,
   so it's not even an LxcString :)

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go   | 2 +-
 lxd/util/sys.go| 4 ++--
 shared/idmap/idmapset_linux.go | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 687363d6b..daf1d4d85 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1135,7 +1135,7 @@ func (c *containerLXC) initLXC(config bool) error {
if idmapset != nil {
lines := idmapset.ToLxcString()
for _, line := range lines {
-   err := lxcSetConfigItem(cc, "lxc.idmap", 
strings.TrimSuffix(line, "\n"))
+   err := lxcSetConfigItem(cc, "lxc.idmap", line)
if err != nil {
return err
}
diff --git a/lxd/util/sys.go b/lxd/util/sys.go
index 5532f8704..9e40ea998 100644
--- a/lxd/util/sys.go
+++ b/lxd/util/sys.go
@@ -50,7 +50,7 @@ func GetIdmapSet() *idmap.IdmapSet {
if err == nil {
logger.Infof("Kernel uid/gid map:")
for _, lxcmap := range kernelIdmapSet.ToLxcString() {
-   logger.Infof(strings.TrimRight(" - "+lxcmap, 
"\n"))
+   logger.Infof(" - " + lxcmap)
}
}
 
@@ -68,7 +68,7 @@ func GetIdmapSet() *idmap.IdmapSet {
}
 
for _, lxcEntry := range lxcmap.ToLxcString() {
-   logger.Infof(" - %s%s", 
strings.TrimRight(lxcEntry, "\n"), suffix)
+   logger.Infof(" - %s%s", lxcEntry, 
suffix)
}
}
 
diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index d9edc8a97..b4f01e769 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -402,8 +402,8 @@ func (m IdmapSet) ToLxcString() []string {
var lines []string
for _, e := range m.Idmap {
for _, l := range e.ToLxcString() {
-   if !shared.StringInSlice(l+"\n", lines) {
-   lines = append(lines, l+"\n")
+   if !shared.StringInSlice(l, lines) {
+   lines = append(lines, l)
}
}
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] add some idmap parsing error messages

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2080

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
otherwise, we just get a return value of false from setting config failure,
with no indication as to what actually failed in the log.

Signed-off-by: Tycho Andersen 
From a8b1ac78131ca089810f80adaccf3ba9a4c8eaa1 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 9 Jan 2018 00:07:50 +
Subject: [PATCH] add some idmap parsing error messages

otherwise, we just get a return value of false from setting config failure,
with no indication as to what actually failed in the log.

Signed-off-by: Tycho Andersen 
---
 src/lxc/confile.c   |  4 +++-
 src/lxc/confile_utils.c | 17 +
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 65f13ac56..4c9f27545 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1665,8 +1665,10 @@ static int set_config_idmaps(const char *key, const char 
*value,
memset(idmap, 0, sizeof(*idmap));
 
ret = parse_idmaps(value, , , , );
-   if (ret < 0)
+   if (ret < 0) {
+   ERROR("error parsing id maps");
goto on_error;
+   }
 
INFO("Read uid map: type %c nsid %lu hostid %lu range %lu", type, nsid, 
hostid, range);
if (type == 'u')
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index c2901116c..c7850f4aa 100644
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -62,8 +62,11 @@ int parse_idmaps(const char *idmap, char *type, unsigned 
long *nsid,
goto on_error;
 
/* Validate type. */
-   if (*slide != 'u' && *slide != 'g')
+   if (*slide != 'u' && *slide != 'g') {
+   ERROR("invalid mapping type: %c", *slide);
goto on_error;
+   }
+
/* Assign type. */
tmp_type = *slide;
 
@@ -88,8 +91,10 @@ int parse_idmaps(const char *idmap, char *type, unsigned 
long *nsid,
*slide = '\0';
 
/* Parse nsuid. */
-   if (lxc_safe_ulong(window, _nsid) < 0)
+   if (lxc_safe_ulong(window, _nsid) < 0) {
+   ERROR("couldn't parse nsuid: %s", window);
goto on_error;
+   }
 
/* Move beyond \0. */
slide++;
@@ -112,8 +117,10 @@ int parse_idmaps(const char *idmap, char *type, unsigned 
long *nsid,
*slide = '\0';
 
/* Parse hostid. */
-   if (lxc_safe_ulong(window, _hostid) < 0)
+   if (lxc_safe_ulong(window, _hostid) < 0) {
+   ERROR("couldn't parse hostid: %s", window);
goto on_error;
+   }
 
/* Move beyond \0. */
slide++;
@@ -142,8 +149,10 @@ int parse_idmaps(const char *idmap, char *type, unsigned 
long *nsid,
*slide = '\0';
 
/* Parse range. */
-   if (lxc_safe_ulong(window, _range) < 0)
+   if (lxc_safe_ulong(window, _range) < 0) {
+   ERROR("couldn't parse range: %s", window);
goto on_error;
+   }
 
*type = tmp_type;
*nsid = tmp_nsid;
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] allow arbitrary users to read idmaps

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4148

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Instead of hardcoding always using root's idmap, let's ask for the current
user's idmap. This should have no effect for LXD, but may potentially be
useful for downstream users of idmap :)

Signed-off-by: Tycho Andersen 
From f0751d938ed8c11b2aa3b234984ae006da55f286 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 8 Jan 2018 10:06:34 -0700
Subject: [PATCH] allow arbitrary users to read idmaps

Instead of hardcoding always using root's idmap, let's ask for the current
user's idmap. This should have no effect for LXD, but may potentially be
useful for downstream users of idmap :)

Signed-off-by: Tycho Andersen 
---
 shared/idmap/idmapset_linux.go | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index a85a74714..d9edc8a97 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -5,6 +5,7 @@ import (
"fmt"
"os"
"os/exec"
+   "os/user"
"path"
"path/filepath"
"reflect"
@@ -667,8 +668,13 @@ func DefaultIdmapSet() (*IdmapSet, error) {
newuidmap, _ := exec.LookPath("newuidmap")
newgidmap, _ := exec.LookPath("newgidmap")
if newuidmap != "" && newgidmap != "" && 
shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") {
+   currentUser, err := user.Current()
+   if err != nil {
+   return nil, err
+   }
+
// Parse the shadow uidmap
-   entries, err := getFromShadow("/etc/subuid", "root")
+   entries, err := getFromShadow("/etc/subuid", 
currentUser.Username)
if err != nil {
return nil, err
}
@@ -687,7 +693,7 @@ func DefaultIdmapSet() (*IdmapSet, error) {
}
 
// Parse the shadow gidmap
-   entries, err = getFromShadow("/etc/subgid", "root")
+   entries, err = getFromShadow("/etc/subgid", 
currentUser.Username)
if err != nil {
return nil, err
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] fix up lxc-usernsexec's exit status

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2078

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
* exit(1) when there is an option parsing error
* exit(0) when the user explicitly asks for help
* exit(1) when the user specifies an invalid option

Signed-off-by: Tycho Andersen 
From d8208db47785d93d8dcb96a83c0b015587a77448 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 8 Jan 2018 16:20:24 +
Subject: [PATCH] fix up lxc-usernsexec's exit status

* exit(1) when there is an option parsing error
* exit(0) when the user explicitly asks for help
* exit(1) when the user specifies an invalid option

Signed-off-by: Tycho Andersen 
---
 src/lxc/tools/lxc_usernsexec.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/lxc/tools/lxc_usernsexec.c b/src/lxc/tools/lxc_usernsexec.c
index 72d4a005b..766bd72e6 100644
--- a/src/lxc/tools/lxc_usernsexec.c
+++ b/src/lxc/tools/lxc_usernsexec.c
@@ -71,7 +71,6 @@ static void usage(const char *name)
printf("  Note: This program uses newuidmap(2) and newgidmap(2).\n");
printf("As such, /etc/subuid and /etc/subgid must grant the\n");
printf("calling user permission to use the mapped ranges\n");
-   exit(EXIT_SUCCESS);
 }
 
 static void opentty(const char * tty, int which) {
@@ -300,10 +299,18 @@ int main(int argc, char *argv[])
 
while ((c = getopt(argc, argv, "m:h")) != EOF) {
switch (c) {
-   case 'm': if (parse_map(optarg)) usage(argv[0]); break;
+   case 'm':
+   if (parse_map(optarg)) {
+   usage(argv[0]);
+   exit(EXIT_FAILURE);
+   }
+   break;
case 'h':
+ usage(argv[0]);
+ exit(EXIT_SUCCESS);
default:
  usage(argv[0]);
+ exit(EXIT_FAILURE);
}
};
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] add --share-$NS= support to lxc-execute

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2008

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This is basically just hoisting the functionality out of lxc-start, so lxc-execute can use it too.
From 14540aad4c8ea94292e837f8d5073cf6b49b6ca4 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Dec 2017 23:57:29 +
Subject: [PATCH] add --share-$NS= support to lxc-execute

Signed-off-by: Tycho Andersen 
---
 src/lxc/tools/arguments.c   | 32 
 src/lxc/tools/arguments.h   |  8 
 src/lxc/tools/lxc_execute.c | 13 +
 src/lxc/tools/lxc_start.c   | 29 ++---
 4 files changed, 55 insertions(+), 27 deletions(-)

diff --git a/src/lxc/tools/arguments.c b/src/lxc/tools/arguments.c
index f16b19562..345d42d9f 100644
--- a/src/lxc/tools/arguments.c
+++ b/src/lxc/tools/arguments.c
@@ -35,6 +35,7 @@
 #include "arguments.h"
 #include "utils.h"
 #include "version.h"
+#include "namespace.h"
 
 static int build_shortopts(const struct option *a_options, char *a_shortopts,
   size_t a_size)
@@ -289,3 +290,34 @@ int lxc_arguments_str_to_int(struct lxc_arguments *args, 
const char *str)
 
return (int)val;
 }
+
+bool lxc_ns_setup(struct lxc_arguments *args, struct lxc_container *c)
+{
+   int i;
+
+   for (i = 0; i < LXC_NS_MAX; i++) {
+   const char *key, *value;
+
+   value = args->share_ns[i];
+   if (!value)
+   continue;
+
+   if (i == LXC_NS_NET)
+   key = "lxc.namespace.net";
+   else if (i == LXC_NS_IPC)
+   key = "lxc.namespace.ipc";
+   else if (i == LXC_NS_UTS)
+   key = "lxc.namespace.uts";
+   else if (i == LXC_NS_PID)
+   key = "lxc.namespace.pid";
+   else
+   continue;
+
+   if (!c->set_config_item(c, key, value)) {
+   fprintf(stderr, "failed to set %s\n", key);
+   return false;
+   }
+   }
+
+   return true;
+}
diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h
index b07caf42b..d23251dc8 100644
--- a/src/lxc/tools/arguments.h
+++ b/src/lxc/tools/arguments.h
@@ -29,6 +29,7 @@
 #include 
 #include 
 #include 
+#include 
 
 struct lxc_arguments;
 
@@ -160,6 +161,11 @@ struct lxc_arguments {
 #define OPT_VERSION OPT_USAGE - 1
 #define OPT_RCFILE OPT_USAGE - 2
 
+#define OPT_SHARE_NET OPT_USAGE + 1
+#define OPT_SHARE_IPC OPT_USAGE + 2
+#define OPT_SHARE_UTS OPT_USAGE + 3
+#define OPT_SHARE_PID OPT_USAGE + 4
+
 extern int lxc_arguments_parse(struct lxc_arguments *args, int argc,
   char *const argv[]);
 
@@ -170,4 +176,6 @@ extern int lxc_arguments_str_to_int(struct lxc_arguments 
*args,
if (!(arg)->quiet) \
fprintf(stderr, "%s: " fmt "\n", (arg)->progname, ##args)
 
+extern bool lxc_ns_setup(struct lxc_arguments *args, struct lxc_container *c);
+
 #endif /* __LXC_ARGUMENTS_H */
diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c
index 9af00886c..ec077c2c2 100644
--- a/src/lxc/tools/lxc_execute.c
+++ b/src/lxc/tools/lxc_execute.c
@@ -63,6 +63,10 @@ static int my_parser(struct lxc_arguments* args, int c, 
char* arg)
case 'g':
if (lxc_safe_uint(arg, >gid) < 0)
return -1;
+   case OPT_SHARE_NET: args->share_ns[LXC_NS_NET] = arg; break;
+   case OPT_SHARE_IPC: args->share_ns[LXC_NS_IPC] = arg; break;
+   case OPT_SHARE_UTS: args->share_ns[LXC_NS_UTS] = arg; break;
+   case OPT_SHARE_PID: args->share_ns[LXC_NS_PID] = arg; break;
}
return 0;
 }
@@ -73,6 +77,10 @@ static const struct option my_longopts[] = {
{"define", required_argument, 0, 's'},
{"uid", required_argument, 0, 'u'},
{"gid", required_argument, 0, 'g'},
+   {"share-net", required_argument, 0, OPT_SHARE_NET},
+   {"share-ipc", required_argument, 0, OPT_SHARE_IPC},
+   {"share-uts", required_argument, 0, OPT_SHARE_UTS},
+   {"share-pid", required_argument, 0, OPT_SHARE_PID},
LXC_COMMON_OPTIONS
 };
 
@@ -183,6 +191,11 @@ int main(int argc, char *argv[])
if (my_args.gid)
c->lxc_conf->init_gid = my_args.gid;
 
+   if (!lxc_ns_setup(_args, c)) {
+   lxc_container_put(c);
+   exit(EXIT_FAILURE);
+   }
+
c->daemonize = my_args.daemonize == 1;
bret = c->start(c, 1, my_args.argv);
ret = c->error_num;
diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c
index 7584b59f4..03e5e2f91 100644
--- 

[lxc-devel] [go-lxc/v2] Fix execute check

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/go-lxc/pull/96

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
see patch notes for details
From 9d2976b398263e72e96ebc88c2ae325102300c75 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 4 Dec 2017 15:02:57 -0700
Subject: [PATCH 1/2] fix execute defined check

Execute() really just does exec("lxc-execute", "-P", c.configPath()); the
problem here is that if c is undefined, then it doesn't have an on-disk
config path, and this lxc-execute invocation won't work.

I think there's a think-o here, and we really mean "is this container
defined", since it will thusly have a config and this little hack will
work.

Signed-off-by: Tycho Andersen 
---
 container.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/container.go b/container.go
index 8e9ba73..690988b 100644
--- a/container.go
+++ b/container.go
@@ -495,7 +495,7 @@ func (c *Container) Execute(args ...string) ([]byte, error) 
{
c.mu.Lock()
defer c.mu.Unlock()
 
-   if err := c.makeSure(isNotDefined); err != nil {
+   if err := c.makeSure(isDefined); err != nil {
return nil, err
}
 

From 67d98dfe09e9e6dde9cd48cf48a6b1d997418e73 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 4 Dec 2017 15:04:29 -0700
Subject: [PATCH 2/2] remove some commented out code

With the immanent arrival of StartExecute(), Execute() is probably going to
be enshrined in hackery-whackery for the rest of time. So let's get rid of
this commented out code.

Signed-off-by: Tycho Andersen 
---
 container.go | 12 
 1 file changed, 12 deletions(-)

diff --git a/container.go b/container.go
index 690988b..09cbe15 100644
--- a/container.go
+++ b/container.go
@@ -517,18 +517,6 @@ func (c *Container) Execute(args ...string) ([]byte, 
error) {
}
 
return output, nil
-   /*
-   cargs := makeNullTerminatedArgs(args)
-   if cargs == nil {
-   return ErrAllocationFailed
-   }
-   defer freeNullTerminatedArgs(cargs, len(args))
-
-   if !bool(C.go_lxc_start(c.container, 1, cargs)) {
-   return ErrExecuteFailed
-   }
-   return nil
-   */
 }
 
 // Stop stops the container.
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] drop useless apparmor denies

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1840

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen 
From 6899c860bb4535a3a8e8212a593ac9876f7c5f12 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 2 Oct 2017 23:00:21 -0600
Subject: [PATCH] drop useless apparmor denies

mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen 
---
 config/apparmor/abstractions/container-base.in | 2 --
 src/tests/aa.c | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/config/apparmor/abstractions/container-base.in 
b/config/apparmor/abstractions/container-base.in
index 5bc9b28bf..91e9e4d0c 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -71,8 +71,6 @@
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
 
   # block some other dangerous paths
-  deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
   deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
diff --git a/src/tests/aa.c b/src/tests/aa.c
index c96b4666a..025ac8c9d 100644
--- a/src/tests/aa.c
+++ b/src/tests/aa.c
@@ -105,7 +105,7 @@ char *files_to_allow[] = { "/sys/class/net/lo/ifalias",
"/proc/sys/kernel/shmmax",
NULL };
 
-char *files_to_deny[] = { "/proc/mem", "/proc/kmem",
+char *files_to_deny[] = {
"/sys/kernel/uevent_helper",
"/proc/sys/fs/file-nr",
"/sys/kernel/mm/ksm/pages_to_scan",
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] drop useless apparmor denies

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/3884

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
mem and kmem are really in /dev, and they're not propagated into lxd
containers, privileged or otherwise anyways, so these are useless.

Signed-off-by: Tycho Andersen 
From d9bec3c1e4430caa025f91bd32908a0b9ce46375 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 2 Oct 2017 16:53:57 -0600
Subject: [PATCH] drop useless apparmor denies

mem and kmem are really in /dev, and they're not propagated into lxd
containers, privileged or otherwise anyways, so these are useless.

Signed-off-by: Tycho Andersen 
---
 lxd/apparmor.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index f2920f421..9c018491d 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -80,8 +80,6 @@ const AA_PROFILE_BASE = `
 
   # block some other dangerous paths
   deny @{PROC}/kcore rwklx,
-  deny @{PROC}/kmem rwklx,
-  deny @{PROC}/mem rwklx,
   deny @{PROC}/sysrq-trigger rwklx,
 
   # deny writes in /sys except for /sys/fs/cgroup, also allow
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: only supply --ext-mount-map for bind mounts

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1441

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The rest of the mounts can be restored normally.

Signed-off-by: Tycho Andersen 
From 19d2422b99df72e6fc8f794c630687cb2740a20b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 15 Feb 2017 11:28:24 -0700
Subject: [PATCH] c/r: only supply --ext-mount-map for bind mounts

The rest of the mounts can be restored normally.

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 53c368b..9b0ccac 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -334,8 +334,18 @@ static void exec_criu(struct criu_opts *opts)
goto err;
 
while (getmntent_r(mnts, , buf, sizeof(buf))) {
-   char *fmt, *key, *val;
+   char *fmt, *key, *val, *mntdata;
char arg[2 * PATH_MAX + 2];
+   unsigned long flags;
+
+   if (parse_mntopts(mntent.mnt_opts, , ) < 0)
+   goto err;
+
+   free(mntdata);
+
+   /* only add --ext-mount-map for actual bind mounts */
+   if (!(flags & MS_BIND))
+   continue;
 
if (strcmp(opts->action, "dump") == 0) {
fmt = "/%s:%s";
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] shared: FileCopy should keep the same mode

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2848

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From ae99416627cbb08805859f33f6133f9335c0eee9 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Sat, 4 Feb 2017 13:13:26 +0100
Subject: [PATCH] shared: FileCopy should keep the same mode

Signed-off-by: Tycho Andersen 
---
 shared/util.go | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/shared/util.go b/shared/util.go
index 21c2b29..e563dcb 100644
--- a/shared/util.go
+++ b/shared/util.go
@@ -275,10 +275,15 @@ func FileCopy(source string, dest string) error {
}
defer s.Close()
 
+   fi, err := s.Stat()
+   if err != nil {
+   return err
+   }
+
d, err := os.Create(dest)
if err != nil {
if os.IsExist(err) {
-   d, err = os.OpenFile(dest, os.O_WRONLY, 0700)
+   d, err = os.OpenFile(dest, os.O_WRONLY, fi.Mode())
if err != nil {
return err
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] util: update setproctitle comments

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1409

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 7d6c20f25fc12d744b5c1e5c6a41fd8aa04a7463 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 2 Feb 2017 10:30:43 +0100
Subject: [PATCH] util: update setproctitle comments

Signed-off-by: Tycho Andersen 
---
 src/lxc/utils.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 24000aa..b6a351c 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1405,11 +1405,8 @@ char *get_template_path(const char *t)
 }
 
 /*
- * Sets the process title to the specified title. Note:
- *   1. this function requires root to succeed
- *   2. it clears /proc/self/environ
- *   3. it may not succed (e.g. if title is longer than /proc/self/environ +
- *  the original title)
+ * Sets the process title to the specified title. Note that this may fail if
+ * the kernel doesn't support PR_SET_MM_MAP (kernels <3.18).
  */
 int setproctitle(char *title)
 {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] util: always malloc for setproctitle

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1408

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #1407

Signed-off-by: Tycho Andersen 
From be69ad435d6ef810dad446f380df16c63bcbdc88 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 2 Feb 2017 09:36:31 +0100
Subject: [PATCH] util: always malloc for setproctitle

Closes #1407

Signed-off-by: Tycho Andersen 
---
 src/lxc/utils.c | 22 ++
 1 file changed, 6 insertions(+), 16 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 0227c32..24000aa 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1463,34 +1463,24 @@ int setproctitle(char *title)
if (!tmp)
return -1;
 
-   i = sscanf(tmp, "%lu %lu %lu %lu %lu %lu %lu",
+   i = sscanf(tmp, "%lu %lu %lu %*u %*u %lu %lu",
_data,
_data,
_brk,
-   _start,
-   _end,
_start,
_end);
-   if (i != 7)
+   if (i != 5)
return -1;
 
/* Include the null byte here, because in the calculations below we
 * want to have room for it. */
len = strlen(title) + 1;
 
-   /* If we don't have enough room by just overwriting the old proctitle,
-* let's allocate a new one.
-*/
-   if (len > arg_end - arg_start) {
-   void *m;
-   m = realloc(proctitle, len);
-   if (!m)
-   return -1;
-   proctitle = m;
-
-   arg_start = (unsigned long) proctitle;
-   }
+   proctitle = realloc(proctitle, len);
+   if (!proctitle)
+   return -1;
 
+   arg_start = (unsigned long) proctitle;
arg_end = arg_start + len;
 
brk_val = syscall(__NR_brk, 0);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] sort addresses in `lxc list` output

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2789

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This closes an issue in a different repo: https://github.com/lxc/lxc/issues/1383

Signed-off-by: Tycho Andersen 
From c73e430764bfe0d370620a02c683504ff4b9bf0b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 13 Jan 2017 12:25:39 +0200
Subject: [PATCH] sort addresses in `lxc list` output

This closes an issue in a different repo: https://github.com/lxc/lxc/issues/1383

Signed-off-by: Tycho Andersen 
---
 lxc/list.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lxc/list.go b/lxc/list.go
index 8ec0a16..1fd9317 100644
--- a/lxc/list.go
+++ b/lxc/list.go
@@ -537,6 +537,7 @@ func (c *listCmd) IP4ColumnData(cInfo api.Container, cState 
*api.ContainerState,
}
}
}
+   sort.Sort(sort.Reverse(sort.StringSlice(ipv4s)))
return strings.Join(ipv4s, "\n")
} else {
return ""
@@ -561,6 +562,7 @@ func (c *listCmd) IP6ColumnData(cInfo api.Container, cState 
*api.ContainerState,
}
}
}
+   sort.Sort(sort.Reverse(sort.StringSlice(ipv6s)))
return strings.Join(ipv6s, "\n")
} else {
return ""
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] allow passing in-memory buffers to a FileResponse

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2757

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 1f2133a9cba692175d2ead6314499c81511a87cc Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 22 Dec 2016 08:38:03 -0700
Subject: [PATCH] allow passing in-memory buffers to a FileResponse

Signed-off-by: Tycho Andersen 
---
 lxd/response.go | 56 +++-
 1 file changed, 39 insertions(+), 17 deletions(-)

diff --git a/lxd/response.go b/lxd/response.go
index 1116857..ec3ea59 100644
--- a/lxd/response.go
+++ b/lxd/response.go
@@ -9,6 +9,7 @@ import (
"mime/multipart"
"net/http"
"os"
+   "time"
 
"github.com/mattn/go-sqlite3"
 
@@ -106,6 +107,7 @@ type fileResponseEntry struct {
identifier string
path   string
filename   string
+   buffer []byte /* either a path or a buffer must be provided */
 }
 
 type fileResponse struct {
@@ -129,24 +131,38 @@ func (r *fileResponse) Render(w http.ResponseWriter) 
error {
 
// For a single file, return it inline
if len(r.files) == 1 {
-   f, err := os.Open(r.files[0].path)
-   if err != nil {
-   return err
-   }
-   defer f.Close()
+   var rs io.ReadSeeker
+   var mt time.Time
+   var sz int64
+
+   if r.files[0].path == "" {
+   rs = bytes.NewReader(r.files[0].buffer)
+   mt = time.Now()
+   sz = int64(len(r.files[0].buffer))
+   } else {
+   f, err := os.Open(r.files[0].path)
+   if err != nil {
+   return err
+   }
+   defer f.Close()
 
-   fi, err := f.Stat()
-   if err != nil {
-   return err
+   fi, err := f.Stat()
+   if err != nil {
+   return err
+   }
+
+   mt = fi.ModTime()
+   sz = fi.Size()
+   rs = f
}
 
w.Header().Set("Content-Type", "application/octet-stream")
-   w.Header().Set("Content-Length", fmt.Sprintf("%d", fi.Size()))
+   w.Header().Set("Content-Length", fmt.Sprintf("%d", sz))
w.Header().Set("Content-Disposition", 
fmt.Sprintf("inline;filename=%s", r.files[0].filename))
 
-   http.ServeContent(w, r.req, r.files[0].filename, fi.ModTime(), 
f)
-   if r.removeAfterServe {
-   err = os.Remove(r.files[0].path)
+   http.ServeContent(w, r.req, r.files[0].filename, mt, rs)
+   if r.files[0].path != "" && r.removeAfterServe {
+   err := os.Remove(r.files[0].path)
if err != nil {
return err
}
@@ -160,18 +176,24 @@ func (r *fileResponse) Render(w http.ResponseWriter) 
error {
mw := multipart.NewWriter(body)
 
for _, entry := range r.files {
-   fd, err := os.Open(entry.path)
-   if err != nil {
-   return err
+   var rd io.Reader
+   if entry.path != "" {
+   fd, err := os.Open(entry.path)
+   if err != nil {
+   return err
+   }
+   defer fd.Close()
+   rd = fd
+   } else {
+   rd = bytes.NewReader(entry.buffer)
}
-   defer fd.Close()
 
fw, err := mw.CreateFormFile(entry.identifier, entry.filename)
if err != nil {
return err
}
 
-   _, err = io.Copy(fw, fd)
+   _, err = io.Copy(fw, rd)
if err != nil {
return err
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] add a done signal to Monitor API

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2754

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Otherwise there is no way to close these connections.

Signed-off-by: Tycho Andersen 
From b7ec78337b9b6eddc085408ec7bd99ca3c082d3c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 21 Dec 2016 14:58:59 -0700
Subject: [PATCH] add a done signal to Monitor API

Otherwise there is no way to close these connections.

Signed-off-by: Tycho Andersen 
---
 client.go| 41 +
 lxc/init.go  |  2 +-
 lxc/monitor.go   |  2 +-
 lxd/main_shutdown.go |  2 +-
 4 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/client.go b/client.go
index f7d1a6f..6326d59 100644
--- a/client.go
+++ b/client.go
@@ -705,7 +705,7 @@ func (c *Client) CopyImage(image string, dest *Client, 
copy_aliases bool, aliase
}
 
if progressHandler != nil {
-   go dest.Monitor([]string{"operation"}, handler)
+   go dest.Monitor([]string{"operation"}, handler, nil)
}
 
fingerprint := info.Fingerprint
@@ -937,7 +937,7 @@ func (c *Client) PostImageURL(imageFile string, properties 
[]string, public bool
}
 
if progressHandler != nil {
-   go c.Monitor([]string{"operation"}, handler)
+   go c.Monitor([]string{"operation"}, handler, nil)
}
 
resp, err := c.post("images", body, Async)
@@ -1479,7 +1479,7 @@ func (c *Client) LocalCopy(source string, name string, 
config map[string]string,
return c.post("containers", body, Async)
 }
 
-func (c *Client) Monitor(types []string, handler func(interface{})) error {
+func (c *Client) Monitor(types []string, handler func(interface{}), done chan 
bool) error {
if c.Remote.Public {
return fmt.Errorf("This function isn't supported by public 
remotes.")
}
@@ -1495,20 +1495,37 @@ func (c *Client) Monitor(types []string, handler 
func(interface{})) error {
}
defer conn.Close()
 
-   for {
-   message := make(map[string]interface{})
+   readCh := make(chan []byte)
+   errCh := make(chan error)
 
-   _, data, err := conn.ReadMessage()
-   if err != nil {
-   return err
+   go func() {
+   for {
+   _, data, err := conn.ReadMessage()
+   if err != nil {
+   errCh <- err
+   return
+   }
+
+   readCh <- data
}
+   }()
 
-   err = json.Unmarshal(data, )
-   if err != nil {
+   for {
+   select {
+   case <-done:
+   return nil
+   case data := <-readCh:
+   message := make(map[string]interface{})
+
+   err = json.Unmarshal(data, )
+   if err != nil {
+   return err
+   }
+
+   handler(message)
+   case err := <-errCh:
return err
}
-
-   handler(message)
}
 }
 
diff --git a/lxc/init.go b/lxc/init.go
index fec1ef0..95f0507 100644
--- a/lxc/init.go
+++ b/lxc/init.go
@@ -270,7 +270,7 @@ func (c *initCmd) initProgressTracker(d *lxd.Client, 
progress *ProgressRenderer,
progress.Update(opMd["download_progress"].(string))
}
}
-   go d.Monitor([]string{"operation"}, handler)
+   go d.Monitor([]string{"operation"}, handler, nil)
 }
 
 func (c *initCmd) guessImage(config *lxd.Config, d *lxd.Client, remote string, 
iremote string, image string) (string, string) {
diff --git a/lxc/monitor.go b/lxc/monitor.go
index 877a1f9..74e3306 100644
--- a/lxc/monitor.go
+++ b/lxc/monitor.go
@@ -84,5 +84,5 @@ func (c *monitorCmd) run(config *lxd.Config, args []string) 
error {
fmt.Printf("%s\n\n", render)
}
 
-   return d.Monitor(c.typeArgs, handler)
+   return d.Monitor(c.typeArgs, handler, nil)
 }
diff --git a/lxd/main_shutdown.go b/lxd/main_shutdown.go
index 9110ed5..74c380f 100644
--- a/lxd/main_shutdown.go
+++ b/lxd/main_shutdown.go
@@ -34,7 +34,7 @@ func cmdShutdown() error {
 
monitor := make(chan error, 1)
go func() {
-   monitor <- c.Monitor(nil, func(m interface{}) {})
+   monitor <- c.Monitor(nil, func(m interface{}) {}, nil)
}()
 
select {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org

[lxc-devel] [lxd/master] add a done signal to Monitor API

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2753

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Otherwise there is no way to close these connections.

Signed-off-by: Tycho Andersen 
From a74b479f445143e4aaa6fae2356d1179b30d6dca Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 21 Dec 2016 14:58:59 -0700
Subject: [PATCH] add a done signal to Monitor API

Otherwise there is no way to close these connections.

Signed-off-by: Tycho Andersen 
---
 client.go| 15 ---
 lxc/init.go  |  2 +-
 lxc/monitor.go   |  2 +-
 lxd/main_shutdown.go |  2 +-
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/client.go b/client.go
index f7d1a6f..9e6bc03 100644
--- a/client.go
+++ b/client.go
@@ -705,7 +705,7 @@ func (c *Client) CopyImage(image string, dest *Client, 
copy_aliases bool, aliase
}
 
if progressHandler != nil {
-   go dest.Monitor([]string{"operation"}, handler)
+   go dest.Monitor([]string{"operation"}, handler, nil)
}
 
fingerprint := info.Fingerprint
@@ -937,7 +937,7 @@ func (c *Client) PostImageURL(imageFile string, properties 
[]string, public bool
}
 
if progressHandler != nil {
-   go c.Monitor([]string{"operation"}, handler)
+   go c.Monitor([]string{"operation"}, handler, nil)
}
 
resp, err := c.post("images", body, Async)
@@ -1479,7 +1479,7 @@ func (c *Client) LocalCopy(source string, name string, 
config map[string]string,
return c.post("containers", body, Async)
 }
 
-func (c *Client) Monitor(types []string, handler func(interface{})) error {
+func (c *Client) Monitor(types []string, handler func(interface{}), done chan 
bool) error {
if c.Remote.Public {
return fmt.Errorf("This function isn't supported by public 
remotes.")
}
@@ -1496,6 +1496,15 @@ func (c *Client) Monitor(types []string, handler 
func(interface{})) error {
defer conn.Close()
 
for {
+   if done != nil {
+   select {
+   case <-done:
+   return nil
+   default:
+   break
+   }
+   }
+
message := make(map[string]interface{})
 
_, data, err := conn.ReadMessage()
diff --git a/lxc/init.go b/lxc/init.go
index fec1ef0..95f0507 100644
--- a/lxc/init.go
+++ b/lxc/init.go
@@ -270,7 +270,7 @@ func (c *initCmd) initProgressTracker(d *lxd.Client, 
progress *ProgressRenderer,
progress.Update(opMd["download_progress"].(string))
}
}
-   go d.Monitor([]string{"operation"}, handler)
+   go d.Monitor([]string{"operation"}, handler, nil)
 }
 
 func (c *initCmd) guessImage(config *lxd.Config, d *lxd.Client, remote string, 
iremote string, image string) (string, string) {
diff --git a/lxc/monitor.go b/lxc/monitor.go
index 877a1f9..74e3306 100644
--- a/lxc/monitor.go
+++ b/lxc/monitor.go
@@ -84,5 +84,5 @@ func (c *monitorCmd) run(config *lxd.Config, args []string) 
error {
fmt.Printf("%s\n\n", render)
}
 
-   return d.Monitor(c.typeArgs, handler)
+   return d.Monitor(c.typeArgs, handler, nil)
 }
diff --git a/lxd/main_shutdown.go b/lxd/main_shutdown.go
index 9110ed5..74c380f 100644
--- a/lxd/main_shutdown.go
+++ b/lxd/main_shutdown.go
@@ -34,7 +34,7 @@ func cmdShutdown() error {
 
monitor := make(chan error, 1)
go func() {
-   monitor <- c.Monitor(nil, func(m interface{}) {})
+   monitor <- c.Monitor(nil, func(m interface{}) {}, nil)
}()
 
select {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] do mounts in the right order

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2721

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
In particular, if there are two paths to be mounted:

/mnt
/mnt/foo

We should always mount /mnt before we mount /mnt/foo, otherwise, the /mnt
mount will overmount /mnt/foo, which is almost certainly not what people
want.

Closes #2717

Signed-off-by: Tycho Andersen 
From 7507fa1c2fe65ef50f487d26877ec5f5a1515b5d Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 14 Dec 2016 17:16:38 +
Subject: [PATCH] do mounts in the right order

In particular, if there are two paths to be mounted:

/mnt
/mnt/foo

We should always mount /mnt before we mount /mnt/foo, otherwise, the /mnt
mount will overmount /mnt/foo, which is almost certainly not what people
want.

Closes #2717

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go  | 59 +++
 test/suites/config.sh | 20 +
 2 files changed, 70 insertions(+), 9 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 5561571..cbbe8c2 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1577,6 +1577,7 @@ func (c *containerLXC) startCommon() (string, error) {
var usbs []usbDevice
var gpus []gpuDevice
var nvidiaDevices []nvidiaGpuDevices
+   diskDevices := map[string]shared.Device{}
 
// Create the devices
for _, k := range c.expandedDevices.DeviceNames() {
@@ -1662,12 +1663,8 @@ func (c *containerLXC) startCommon() (string, error) {
}
}
} else if m["type"] == "disk" {
-   // Disk device
if m["path"] != "/" {
-   _, err := c.createDiskDevice(k, m)
-   if err != nil {
-   return "", err
-   }
+   diskDevices[k] = m
}
} else if m["type"] == "nic" {
if m["nictype"] == "bridged" && 
shared.IsTrue(m["security.mac_filtering"]) {
@@ -1710,6 +1707,14 @@ func (c *containerLXC) startCommon() (string, error) {
}
}
 
+   err = c.addDiskDevices(diskDevices, func(name string, d shared.Device) 
error {
+   _, err := c.createDiskDevice(name, d)
+   return err
+   })
+   if err != nil {
+   return "", err
+   }
+
// Create any missing directory
err = os.MkdirAll(c.LogPath(), 0700)
if err != nil {
@@ -3412,6 +3417,8 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
}
}
 
+   diskDevices := map[string]shared.Device{}
+
for k, m := range addDevices {
if shared.StringInSlice(m["type"], 
[]string{"unix-char", "unix-block"}) {
err = c.insertUnixDevice(m)
@@ -3419,10 +3426,7 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
return err
}
} else if m["type"] == "disk" && m["path"] != "/" {
-   err = c.insertDiskDevice(k, m)
-   if err != nil {
-   return err
-   }
+   diskDevices[k] = m
} else if m["type"] == "nic" {
err = c.insertNetworkDevice(k, m)
if err != nil {
@@ -3497,6 +3501,11 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
}
}
 
+   err = c.addDiskDevices(diskDevices, c.insertDiskDevice)
+   if err != nil {
+   return err
+   }
+
updateDiskLimit := false
for k, m := range updateDevices {
if m["type"] == "disk" {
@@ -5707,6 +5716,38 @@ func (c *containerLXC) insertDiskDevice(name string, m 
shared.Device) error {
return nil
 }
 
+type byPath []shared.Device
+
+func (a byPath) Len() int {
+   return len(a)
+}
+
+func (a byPath) Swap(i, j int) {
+   a[i], a[j] = a[j], a[i]
+}
+
+func (a byPath) Less(i, j int) bool {
+   return a[i]["path"] < a[j]["path"]
+}
+
+func (c *containerLXC) addDiskDevices(devices map[string]shared.Device, 
handler func(string, shared.Device)error) error {
+   ordered := byPath{}
+
+   for _, d := 

[lxc-devel] [lxd/master] Some patches in prep for clustering

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2720

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Here's some random patches that add or abstract bits that we'll need for clustering.
From c9e723f295621645124ff3978c028b782de3f6aa Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 1 Dec 2016 09:03:26 -0700
Subject: [PATCH 1/5] client: commonize update methods and add PATCH

Signed-off-by: Tycho Andersen 
---
 client.go | 64 ++-
 1 file changed, 14 insertions(+), 50 deletions(-)

diff --git a/client.go b/client.go
index 67ce9c2..a4265aa 100644
--- a/client.go
+++ b/client.go
@@ -403,7 +403,7 @@ func (c *Client) baseGet(getUrl string) (*Response, error) {
return HoistResponse(resp, Sync)
 }
 
-func (c *Client) put(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
+func (c *Client) doUpdateMethod(method string, base string, args interface{}, 
rtype ResponseType) (*Response, error) {
uri := c.url(shared.APIVersion, base)
 
buf := bytes.Buffer{}
@@ -412,9 +412,9 @@ func (c *Client) put(base string, args interface{}, rtype 
ResponseType) (*Respon
return nil, err
}
 
-   shared.LogDebugf("Putting %s to %s", buf.String(), uri)
+   shared.LogDebugf("%s %s to %s", method, buf.String(), uri)
 
-   req, err := http.NewRequest("PUT", uri, )
+   req, err := http.NewRequest(method, uri, )
if err != nil {
return nil, err
}
@@ -429,30 +429,20 @@ func (c *Client) put(base string, args interface{}, rtype 
ResponseType) (*Respon
return HoistResponse(resp, rtype)
 }
 
-func (c *Client) post(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
-   uri := c.url(shared.APIVersion, base)
-
-   buf := bytes.Buffer{}
-   err := json.NewEncoder().Encode(args)
-   if err != nil {
-   return nil, err
-   }
-
-   shared.LogDebugf("Posting %s to %s", buf.String(), uri)
+func (c *Client) put(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
+   return c.doUpdateMethod("PUT", base, args, rtype)
+}
 
-   req, err := http.NewRequest("POST", uri, )
-   if err != nil {
-   return nil, err
-   }
-   req.Header.Set("User-Agent", shared.UserAgent)
-   req.Header.Set("Content-Type", "application/json")
+func (c *Client) patch(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
+   return c.doUpdateMethod("PATCH", base, args, rtype)
+}
 
-   resp, err := c.Http.Do(req)
-   if err != nil {
-   return nil, err
-   }
+func (c *Client) post(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
+   return c.doUpdateMethod("POST", base, args, rtype)
+}
 
-   return HoistResponse(resp, rtype)
+func (c *Client) delete(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
+   return c.doUpdateMethod("DELETE", base, args, rtype)
 }
 
 func (c *Client) getRaw(uri string) (*http.Response, error) {
@@ -479,32 +469,6 @@ func (c *Client) getRaw(uri string) (*http.Response, 
error) {
return raw, nil
 }
 
-func (c *Client) delete(base string, args interface{}, rtype ResponseType) 
(*Response, error) {
-   uri := c.url(shared.APIVersion, base)
-
-   buf := bytes.Buffer{}
-   err := json.NewEncoder().Encode(args)
-   if err != nil {
-   return nil, err
-   }
-
-   shared.LogDebugf("Deleting %s to %s", buf.String(), uri)
-
-   req, err := http.NewRequest("DELETE", uri, )
-   if err != nil {
-   return nil, err
-   }
-   req.Header.Set("User-Agent", shared.UserAgent)
-   req.Header.Set("Content-Type", "application/json")
-
-   resp, err := c.Http.Do(req)
-   if err != nil {
-   return nil, err
-   }
-
-   return HoistResponse(resp, rtype)
-}
-
 func (c *Client) Websocket(operation string, secret string) (*websocket.Conn, 
error) {
query := url.Values{"secret": []string{secret}}
url := c.BaseWSURL + path.Join(operation, "websocket") + "?" + 
query.Encode()

From c07feceae7b28c386c1e8393c6f40f6062a05cd5 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 2 Dec 2016 12:24:40 -0700
Subject: [PATCH 2/5] add some extra response types

Signed-off-by: Tycho Andersen 
---
 lxd/response.go | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/lxd/response.go b/lxd/response.go
index 1116857..235dd3b 100644
--- a/lxd/response.go
+++ b/lxd/response.go
@@ -292,6 +292,29 @@ func PreconditionFailed(err error) Response {

[lxc-devel] [lxd/master] disable insecure TLS in CA mode

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2679

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
I'm not sure if this actually matters or not, but it's implementation
dependent and might matter.

Signed-off-by: Tycho Andersen 
From 984f3ecd397bd1e03f2b277f0169bb8c9b3d659b Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 2 Dec 2016 19:44:45 +
Subject: [PATCH] disable insecure TLS in CA mode

I'm not sure if this actually matters or not, but it's implementation
dependent and might matter.

Signed-off-by: Tycho Andersen 
---
 lxd/daemon.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index f0debc8..b739e72 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -899,6 +899,7 @@ func (d *Daemon) Init() error {
caPool.AddCert(ca)
tlsConfig.RootCAs = caPool
tlsConfig.ClientCAs = caPool
+   tlsConfig.InsecureSkipVerify = false
 
shared.LogInfof("LXD is in CA mode, only CA-signed 
certificates will be allowed")
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] save slurp file after a snapshot is created

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2665

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Otherwise, we won't have this snapshot in the list of snapshots in the
slurp file, and we'll miss it.

Signed-off-by: Tycho Andersen 
From 62d91d84732a94ff48e24c73172ea4e31cb751c0 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 29 Nov 2016 16:32:58 +
Subject: [PATCH] save slurp file after a snapshot is created

Otherwise, we won't have this snapshot in the list of snapshots in the
slurp file, and we'll miss it.

Signed-off-by: Tycho Andersen 
---
 lxd/container.go | 6 ++
 test/suites/migration.sh | 1 +
 2 files changed, 7 insertions(+)

diff --git a/lxd/container.go b/lxd/container.go
index 8c8170f..373b1bd 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -566,6 +566,12 @@ func containerCreateAsSnapshot(d *Daemon, args 
containerArgs, sourceContainer co
return nil, err
}
 
+   err = writeSlurpFile(sourceContainer)
+   if err != nil {
+   c.Delete()
+   return nil, err
+   }
+
// Once we're done, remove the state directory
if args.Stateful {
os.RemoveAll(sourceContainer.StatePath())
diff --git a/test/suites/migration.sh b/test/suites/migration.sh
index a3bf48f..fcbf75d 100644
--- a/test/suites/migration.sh
+++ b/test/suites/migration.sh
@@ -26,6 +26,7 @@ test_migration() {
 lxc_remote init testimage backup
 lxc_remote snapshot backup
 sqlite3 "${LXD_DIR}/lxd.db" "DELETE FROM containers WHERE name='backup'"
+sqlite3 "${LXD_DIR}/lxd.db" "DELETE FROM containers WHERE 
name='backup/snap0'"
 lxd import backup
 lxc_remote info backup | grep snap0
   fi
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Slurp file

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2662

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From cf02ecaead9b1ce288ec3a8c7861c51258e96020 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 28 Nov 2016 09:04:23 -0700
Subject: [PATCH 1/3] Change ContainerStart to take the name and path to start

Instead of taking the container and computing the name and path, let's just
take the name and path themselves. We'll use this in the next patch to
start the storage for a container that we haven't created in memory or in
the database yet, when we're reading its slurp file.

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go |  4 ++--
 lxd/storage.go   | 16 
 lxd/storage_btrfs.go |  4 ++--
 lxd/storage_dir.go   |  4 ++--
 lxd/storage_lvm.go   | 20 ++--
 lxd/storage_test.go  |  4 ++--
 lxd/storage_zfs.go   |  6 +++---
 7 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 82a91d3..8419cb6 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -4663,7 +4663,7 @@ func (c *containerLXC) StorageStart() error {
return c.storage.ContainerSnapshotStart(c)
}
 
-   return c.storage.ContainerStart(c)
+   return c.storage.ContainerStart(c.Name(), c.Path())
 }
 
 func (c *containerLXC) StorageStop() error {
@@ -4671,7 +4671,7 @@ func (c *containerLXC) StorageStop() error {
return c.storage.ContainerSnapshotStop(c)
}
 
-   return c.storage.ContainerStop(c)
+   return c.storage.ContainerStop(c.Name(), c.Path())
 }
 
 // Mount handling
diff --git a/lxd/storage.go b/lxd/storage.go
index a41ca1b..2ae706d 100644
--- a/lxd/storage.go
+++ b/lxd/storage.go
@@ -149,8 +149,8 @@ type storage interface {
ContainerCanRestore(container container, sourceContainer container) 
error
ContainerDelete(container container) error
ContainerCopy(container container, sourceContainer container) error
-   ContainerStart(container container) error
-   ContainerStop(container container) error
+   ContainerStart(name string, path string) error
+   ContainerStop(name string, path string) error
ContainerRename(container container, newName string) error
ContainerRestore(container container, sourceContainer container) error
ContainerSetQuota(container container, size int64) error
@@ -431,14 +431,14 @@ func (lw *storageLogWrapper) ContainerCopy(
return lw.w.ContainerCopy(container, sourceContainer)
 }
 
-func (lw *storageLogWrapper) ContainerStart(container container) error {
-   lw.log.Debug("ContainerStart", log.Ctx{"container": container.Name()})
-   return lw.w.ContainerStart(container)
+func (lw *storageLogWrapper) ContainerStart(name string, path string) error {
+   lw.log.Debug("ContainerStart", log.Ctx{"container": name})
+   return lw.w.ContainerStart(name, path)
 }
 
-func (lw *storageLogWrapper) ContainerStop(container container) error {
-   lw.log.Debug("ContainerStop", log.Ctx{"container": container.Name()})
-   return lw.w.ContainerStop(container)
+func (lw *storageLogWrapper) ContainerStop(name string, path string) error {
+   lw.log.Debug("ContainerStop", log.Ctx{"container": name})
+   return lw.w.ContainerStop(name, path)
 }
 
 func (lw *storageLogWrapper) ContainerRename(
diff --git a/lxd/storage_btrfs.go b/lxd/storage_btrfs.go
index 4a8d63f..cf70b21 100644
--- a/lxd/storage_btrfs.go
+++ b/lxd/storage_btrfs.go
@@ -172,11 +172,11 @@ func (s *storageBtrfs) ContainerCopy(container container, 
sourceContainer contai
return container.TemplateApply("copy")
 }
 
-func (s *storageBtrfs) ContainerStart(container container) error {
+func (s *storageBtrfs) ContainerStart(name string, path string) error {
return nil
 }
 
-func (s *storageBtrfs) ContainerStop(container container) error {
+func (s *storageBtrfs) ContainerStop(name string, path string) error {
return nil
 }
 
diff --git a/lxd/storage_dir.go b/lxd/storage_dir.go
index 18f4985..5adcd45 100644
--- a/lxd/storage_dir.go
+++ b/lxd/storage_dir.go
@@ -123,11 +123,11 @@ func (s *storageDir) ContainerCopy(
return container.TemplateApply("copy")
 }
 
-func (s *storageDir) ContainerStart(container container) error {
+func (s *storageDir) ContainerStart(name string, path string) error {
return nil
 }
 
-func (s *storageDir) ContainerStop(container container) error {
+func (s *storageDir) ContainerStop(name string, path string) error {
return nil
 }
 
diff --git a/lxd/storage_lvm.go b/lxd/storage_lvm.go
index 3e9404d..a3bc02f 100644
--- a/lxd/storage_lvm.go
+++ b/lxd/storage_lvm.go
@@ -404,7 +404,7 @@ func (s 

[lxc-devel] [lxd/master] actually surface the last used update error

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2615

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From f7b55179e6799507a4a92c926767cfd6db461fdd Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 15 Nov 2016 11:26:11 -0700
Subject: [PATCH] actually surface the last used update error

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index fec0f2e..d178fdb 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1470,7 +1470,7 @@ func (c *containerLXC) startCommon() (string, error) {
// Update time container was last started
err = dbContainerLastUsedUpdate(c.daemon.db, c.id, time.Now().UTC())
if err != nil {
-   fmt.Printf("Error updating last used: %v", err)
+   return "", fmt.Errorf("Error updating last used: %v", err)
}
 
return configPath, nil
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: check state before doing a checkpoint/restore

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1274

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This would already fail, but with a not-as-good error message. Let's make
the error better.

Signed-off-by: Tycho Andersen 
From 7ad13c91236f5af2a57fd583ffbf3d39eb4b7bde Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 3 Nov 2016 12:01:09 -0600
Subject: [PATCH] c/r: check state before doing a checkpoint/restore

This would already fail, but with a not-as-good error message. Let's make
the error better.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxccontainer.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index a1c94a1..3a9e1e3 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -3994,12 +3994,24 @@ static int do_lxcapi_migrate(struct lxc_container *c, 
unsigned int cmd,
 
switch (cmd) {
case MIGRATE_PRE_DUMP:
+   if (!do_lxcapi_is_running(c)) {
+   ERROR("container is not running");
+   return false;
+   }
ret = !__criu_pre_dump(c, valid_opts);
break;
case MIGRATE_DUMP:
+   if (!do_lxcapi_is_running(c)) {
+   ERROR("container is not running");
+   return false;
+   }
ret = !__criu_dump(c, valid_opts);
break;
case MIGRATE_RESTORE:
+   if (do_lxcapi_is_running(c)) {
+   ERROR("container is already running");
+   return false;
+   }
ret = !__criu_restore(c, valid_opts);
break;
default:
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [go-lxc/v2] c/r: make sure container is running before doing a dump

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/go-lxc/pull/70

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 0800e17ae9b3ada734eba5ba009d2123dcd06d37 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 3 Nov 2016 17:24:08 +
Subject: [PATCH] c/r: make sure container is running before doing a dump

Signed-off-by: Tycho Andersen 
---
 container.go | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/container.go b/container.go
index d44315a..e794252 100644
--- a/container.go
+++ b/container.go
@@ -1556,6 +1556,13 @@ func (c *Container) Migrate(cmd uint, opts 
MigrateOptions) error {
return err
}
 
+   if (cmd != MIGRATE_RESTORE) {
+   if err := c.makeSure(isRunning); err != nil {
+   return err
+   }
+   }
+
+
cdirectory := C.CString(opts.Directory)
defer C.free(unsafe.Pointer(cdirectory))
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: save dump stdout too

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1270

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 5af85cb1447fec6f05513c0e34991ccd0f5a6560 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 1 Nov 2016 17:07:26 -0600
Subject: [PATCH 1/2] c/r: save criu's stdout during dump too

This also allows us to commonize some bits of the dup2 code.

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 76 +-
 1 file changed, 60 insertions(+), 16 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 867139b..f49968b 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -62,6 +62,9 @@
 lxc_log_define(lxc_criu, lxc);
 
 struct criu_opts {
+   /* the thing to hook to stdout and stderr for logging */
+   int pipefd;
+
/* The type of criu invocation, one of "dump" or "restore" */
char *action;
 
@@ -134,6 +137,7 @@ static void exec_criu(struct criu_opts *opts)
 
char buf[4096], tty_info[32];
size_t pos;
+
/* If we are currently in a cgroup /foo/bar, and the container is in a
 * cgroup /lxc/foo, lxcfs will give us an ENOENT if some task in the
 * container has an open fd that points to one of the cgroup files
@@ -541,6 +545,21 @@ static void exec_criu(struct criu_opts *opts)
 
INFO("execing: %s", buf);
 
+   /* before criu inits its log, it sometimes prints things to stdout/err;
+* let's be sure we capture that.
+*/
+   if (dup2(opts->pipefd, STDOUT_FILENO) < 0) {
+   SYSERROR("dup2 stdout failed");
+   goto err;
+   }
+
+   if (dup2(opts->pipefd, STDERR_FILENO) < 0) {
+   SYSERROR("dup2 stderr failed");
+   goto err;
+   }
+
+   close(opts->pipefd);
+
 #undef DECLARE_ARG
execv(argv[0], argv);
 err:
@@ -781,15 +800,6 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
 
close(pipes[0]);
pipes[0] = -1;
-   if (dup2(pipes[1], STDERR_FILENO) < 0) {
-   SYSERROR("dup2 failed");
-   goto out_fini_handler;
-   }
-
-   if (dup2(pipes[1], STDOUT_FILENO) < 0) {
-   SYSERROR("dup2 failed");
-   goto out_fini_handler;
-   }
 
if (unshare(CLONE_NEWNS))
goto out_fini_handler;
@@ -816,6 +826,7 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
}
}
 
+   os.pipefd = pipes[1];
os.action = "restore";
os.user = opts;
os.c = c;
@@ -1013,29 +1024,38 @@ static bool do_dump(struct lxc_container *c, char 
*mode, struct migrate_opts *op
 {
pid_t pid;
char *criu_version = NULL;
+   int criuout[2];
 
if (!criu_ok(c, _version))
return false;
 
-   if (mkdir_p(opts->directory, 0700) < 0)
+   if (pipe(criuout) < 0) {
+   SYSERROR("pipe() failed");
return false;
+   }
+
+   if (mkdir_p(opts->directory, 0700) < 0)
+   goto fail;
 
pid = fork();
if (pid < 0) {
SYSERROR("fork failed");
-   return false;
+   goto fail;
}
 
if (pid == 0) {
struct criu_opts os;
struct lxc_handler h;
 
+   close(criuout[0]);
+
h.name = c->name;
if (!cgroup_init()) {
ERROR("failed to cgroup_init()");
exit(1);
}
 
+   os.pipefd = criuout[1];
os.action = mode;
os.user = opts;
os.c = c;
@@ -1050,27 +1070,51 @@ static bool do_dump(struct lxc_container *c, char 
*mode, struct migrate_opts *op
exit(1);
} else {
int status;
+   ssize_t n;
+   char buf[4096];
+   bool ret;
+
+   close(criuout[1]);
+
pid_t w = waitpid(pid, , 0);
if (w == -1) {
SYSERROR("waitpid");
+   close(criuout[0]);
return false;
}
 
+   n = read(criuout[0], buf, sizeof(buf));
+   close(criuout[0]);
+   if (n < 0) {
+   SYSERROR("read");
+   n = 0;
+   }
+   buf[n] = 0;
+
if (WIFEXITED(status)) {
if (WEXITSTATUS(status)) {

[lxc-devel] [lxc/master] Do mount rewriting

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1266

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 5f4e44a22df60c25005c95b9326fd989efd80569 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 31 Oct 2016 10:07:25 -0600
Subject: [PATCH 1/2] c/r: explicitly emit bind mounts as criu arguments

We switched to --ext-mount-map auto because of "system" (liblxc) added
mounts like the cgmanager socket that weren't in the config file. This had
the added advantage that we could drop all the mount processing code,
because we no longer needed an --ext-mount-map argument.

The problem here is that mounts can move between hosts. While
--ext-mount-map auto does its best to detect this situation, it explicitly
disallows moves that change the path name. In LXD, we bind mount
/var/lib/lxd/shmounts/$container to /dev/.lxd-mounts for each container,
and so when a container is renamed in a migration, the name changes.
--ext-mount-map auto won't detect this, and so the migration fails.

We *could* implement mount rewriting in CRIU, but my experience with cgroup
and apparmor rewriting is that this is painful and error prone. Instead, it
is much easier to go back to explicitly listing --ext-mount-map arguments
from the config file, and allow the source of the bind to change. We leave
--ext-mount-map auto to catch any stragling (or future) system added
mounts.

I believe this should fix Launchpad Bug 1580765

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 40 
 1 file changed, 40 insertions(+)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 0940967..867139b 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -46,6 +46,12 @@
 #include "network.h"
 #include "utils.h"
 
+#if IS_BIONIC
+#include <../include/lxcmntent.h>
+#else
+#include 
+#endif
+
 #define CRIU_VERSION   "2.0"
 
 #define CRIU_GITID_VERSION "2.0"
@@ -123,6 +129,8 @@ static void exec_criu(struct criu_opts *opts)
int static_args = 23, argc = 0, i, ret;
int netnr = 0;
struct lxc_list *it;
+   FILE *mnts;
+   struct mntent mntent;
 
char buf[4096], tty_info[32];
size_t pos;
@@ -200,6 +208,8 @@ static void exec_criu(struct criu_opts *opts)
if (opts->user->action_script)
static_args += 2;
 
+   static_args += 2 * lxc_list_len(>c->lxc_conf->mount_list);
+
ret = snprintf(log, PATH_MAX, "%s/%s.log", opts->user->directory, 
opts->action);
if (ret < 0 || ret >= PATH_MAX) {
ERROR("logfile name too long\n");
@@ -315,6 +325,36 @@ static void exec_criu(struct criu_opts *opts)
DECLARE_ARG(opts->user->action_script);
}
 
+   mnts = write_mount_file(>c->lxc_conf->mount_list);
+   if (!mnts)
+   goto err;
+
+   while (getmntent_r(mnts, , buf, sizeof(buf))) {
+   char *fmt, *key, *val;
+   char arg[2 * PATH_MAX + 2];
+
+   if (strcmp(opts->action, "dump") == 0) {
+   fmt = "/%s:%s";
+   key = mntent.mnt_dir;
+   val = mntent.mnt_dir;
+   } else {
+   fmt = "%s:%s";
+   key = mntent.mnt_dir;
+   val = mntent.mnt_fsname;
+   }
+
+   ret = snprintf(arg, sizeof(arg), fmt, key, val);
+   if (ret < 0 || ret >= sizeof(arg)) {
+   fclose(mnts);
+   ERROR("snprintf failed");
+   goto err;
+   }
+
+   DECLARE_ARG("--ext-mount-map");
+   DECLARE_ARG(arg);
+   }
+   fclose(mnts);
+
if (strcmp(opts->action, "dump") == 0 || strcmp(opts->action, 
"pre-dump") == 0) {
char pid[32], *freezer_relative;
 

From ed408e6674bd5372d6213c5d672422bf4d2862a7 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 31 Oct 2016 19:48:38 +
Subject: [PATCH 2/2] log: bump LXC_LOG_BUFFER_SIZE to 4096

We need to log longer lines due to CRIU arguments.

Signed-off-by: Tycho Andersen 
---
 src/lxc/log.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/log.h b/src/lxc/log.h
index 7a36600..3c0bbaa 100644
--- a/src/lxc/log.h
+++ b/src/lxc/log.h
@@ -46,7 +46,7 @@
 #endif
 
 #define LXC_LOG_PREFIX_SIZE32
-#define LXC_LOG_BUFFER_SIZE1024
+#define LXC_LOG_BUFFER_SIZE4096
 
 /* This attribute is required to silence clang warnings */
 #if defined(__GNUC__)
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] correctly set liblxc loglevel to debug when in --debug mode

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2585

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From a79e8ad5c4d107763d84e551d7c99799262b0ff8 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 31 Oct 2016 19:44:05 +
Subject: [PATCH] correctly set liblxc loglevel to debug when in --debug mode

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 640618e..1917180 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -537,6 +537,7 @@ func (c *containerLXC) initLXC() error {
 
logLevel := "warn"
if debug {
+   logLevel = "debug"
} else if verbose {
logLevel = "info"
} else {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Fix random path stuff

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2559

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 6f0d82f7209a5ce4cd533d1dc4c2d7574d8a717a Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 25 Oct 2016 15:00:43 -0600
Subject: [PATCH 1/2] client: fix mkdir -p /

Signed-off-by: Tycho Andersen 
---
 client.go | 5 +
 1 file changed, 5 insertions(+)

diff --git a/client.go b/client.go
index 4309cb6..49fa8e3 100644
--- a/client.go
+++ b/client.go
@@ -1836,6 +1836,11 @@ func (c *Client) MkdirP(container string, p string, mode 
os.FileMode) error {
return fmt.Errorf("This function isn't supported by public 
remotes.")
}
 
+   /* special case, every container has a /, we don't need to do anything 
*/
+   if p == "/" {
+   return nil
+   }
+
parts := strings.Split(p, "/")
i := len(parts)
 

From 570d4de1803a125f4b818404374730660b71ae06 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 25 Oct 2016 15:02:11 -0600
Subject: [PATCH 2/2] lxc file: normalize paths before sending them to the
 server

Note that we don't need to normalize the path on file pull, becuase LXD
will tell us whether it's a file or directory.

Closes #2557

Signed-off-by: Tycho Andersen 
---
 lxc/file.go  | 11 +++
 test/suites/filemanip.sh |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/lxc/file.go b/lxc/file.go
index cd00d55..f610f5f 100644
--- a/lxc/file.go
+++ b/lxc/file.go
@@ -74,6 +74,17 @@ func (c *fileCmd) push(config *lxd.Config, send_file_perms 
bool, args []string)
return fmt.Errorf(i18n.G("Invalid target %s"), target)
}
 
+   /* Fix up the path. Let's:
+* 1. re-add the leading / that got stripped from the SplitN
+* 2. clean it and remove any /./, /../, /, etc.
+* 3. keep the trailing slash if it had one, since we use it via
+*filepath.Split below
+*/
+   pathSpec[1] = filepath.Clean("/" + pathSpec[1])
+   if target[len(target)-1] == '/' {
+   pathSpec[1] = pathSpec[1] + "/"
+   }
+
targetPath := pathSpec[1]
remote, container := config.ParseRemoteAndContainer(pathSpec[0])
 
diff --git a/test/suites/filemanip.sh b/test/suites/filemanip.sh
index d59d08c..64503a6 100644
--- a/test/suites/filemanip.sh
+++ b/test/suites/filemanip.sh
@@ -40,5 +40,8 @@ test_filemanip() {
   lxc file pull filemanip/tmp/this/is/a/nonexistent/directory/foo "${TEST_DIR}"
   [ "$(cat "${TEST_DIR}"/foo)" = "foo" ]
 
+  lxc file push -p "${TEST_DIR}"/source/foo filemanip/.
+  [ "$(lxc exec filemanip cat /foo)" = "foo" ]
+
   lxc delete filemanip -f
 }
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] migration: start migration storage at the right time

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2553

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
In particular: the migration storage might have been in use after a
migration, so it's not safe to stop it like we were before (presumably it
was giving EBUSY, but since we didn't cehck the return code it was ok).

Instead, let's only start it before we need it, and stop it when we're
done. The OnStart hook will start the storage again if it is needed by the
actual container, so we don't need to take care of that.

Closes #2505

Signed-off-by: Tycho Andersen 
From 38d794806a8ca781a0ed69798c8a6e9ea8ea7a70 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 24 Oct 2016 15:19:12 -0600
Subject: [PATCH] migration: start migration storage at the right time

In particular: the migration storage might have been in use after a
migration, so it's not safe to stop it like we were before (presumably it
was giving EBUSY, but since we didn't cehck the return code it was ok).

Instead, let's only start it before we need it, and stop it when we're
done. The OnStart hook will start the storage again if it is needed by the
actual container, so we don't need to take care of that.

Closes #2505

Signed-off-by: Tycho Andersen 
---
 lxd/containers_post.go | 6 --
 lxd/storage.go | 5 +
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lxd/containers_post.go b/lxd/containers_post.go
index 9b2d523..659de32 100644
--- a/lxd/containers_post.go
+++ b/lxd/containers_post.go
@@ -293,20 +293,14 @@ func createFromMigration(d *Daemon, req 
*containerPostReq) Response {
}
 
run := func(op *operation) error {
-   // Start the storage for this container (LVM mount/umount)
-   c.StorageStart()
-
// And finaly run the migration.
err = sink.Do(op)
if err != nil {
-   c.StorageStop()
shared.LogError("Error during migration sink", 
log.Ctx{"err": err})
c.Delete()
return fmt.Errorf("Error transferring container data: 
%s", err)
}
 
-   defer c.StorageStop()
-
err = c.TemplateApply("copy")
if err != nil {
return err
diff --git a/lxd/storage.go b/lxd/storage.go
index 7c25bfd..5bb94dc 100644
--- a/lxd/storage.go
+++ b/lxd/storage.go
@@ -702,6 +702,11 @@ func rsyncMigrationSink(live bool, container container, 
snapshots []*Snapshot, c
return err
}
} else {
+   if err := container.StorageStart(); err != nil {
+   return err
+   }
+   defer container.StorageStop()
+
for _, snap := range snapshots {
if err := RsyncRecv(shared.AddSlash(container.Path()), 
conn); err != nil {
return err
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] Use external

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1248

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
FWIW, the --external flag is new as of 2.6, so I don't think any of this should be SRU'd into xenial until CRIU 2.6 is.
From 0f90d613ab0d473731e6207a651685467f30c817 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 12 Oct 2016 22:46:09 +
Subject: [PATCH 1/3] c/r: use --external instead of --veth-pair

--veth-pair has been deprecated as of 2.6, let's use the new --external
instead.

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index f228736..0b5fc09 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -452,13 +452,13 @@ static void exec_criu(struct criu_opts *opts)
veth = n->priv.veth_attr.pair;
 
if (n->link)
-   ret = snprintf(buf, sizeof(buf), "%s=%s@%s", 
eth, veth, n->link);
+   ret = snprintf(buf, sizeof(buf), 
"veth[%s]:%s@%s", eth, veth, n->link);
else
-   ret = snprintf(buf, sizeof(buf), "%s=%s", eth, 
veth);
+   ret = snprintf(buf, sizeof(buf), "veth[%s]:%s", 
eth, veth);
if (ret < 0 || ret >= sizeof(buf))
goto err;
 
-   DECLARE_ARG("--veth-pair");
+   DECLARE_ARG("--external");
DECLARE_ARG(buf);
}
 

From 2f3fbc6bf3c41942ea8fe13ba29cc040096981a8 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 12 Oct 2016 23:18:02 +
Subject: [PATCH 2/3] c/r: remember to increment netnr

We need this for calculating the name of unnamed interfaces in the config.
But we also need to remember to increment it :)

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 0b5fc09..84d4209 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -460,6 +460,7 @@ static void exec_criu(struct criu_opts *opts)
 
DECLARE_ARG("--external");
DECLARE_ARG(buf);
+   netnr++;
}
 
}

From e269733002642e2f5faa6aab59d3181558a74898 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 22 Sep 2016 23:13:42 +
Subject: [PATCH 3/3] c/r: add checkpoint/restore support for macvlan
 interfaces

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 46 --
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 84d4209..c998fe4 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -439,9 +439,6 @@ static void exec_criu(struct criu_opts *opts)
char eth[128], *veth;
struct lxc_netdev *n = it->elem;
 
-   if (n->type != LXC_NET_VETH)
-   continue;
-
if (n->name) {
if (strlen(n->name) >= sizeof(eth))
goto err;
@@ -449,14 +446,42 @@ static void exec_criu(struct criu_opts *opts)
} else
sprintf(eth, "eth%d", netnr);
 
-   veth = n->priv.veth_attr.pair;
+   switch (n->type) {
+   case LXC_NET_VETH:
+   veth = n->priv.veth_attr.pair;
 
-   if (n->link)
-   ret = snprintf(buf, sizeof(buf), 
"veth[%s]:%s@%s", eth, veth, n->link);
-   else
-   ret = snprintf(buf, sizeof(buf), "veth[%s]:%s", 
eth, veth);
-   if (ret < 0 || ret >= sizeof(buf))
+   if (n->link)
+   ret = snprintf(buf, sizeof(buf), 
"veth[%s]:%s@%s", eth, veth, n->link);
+   else
+   ret = snprintf(buf, sizeof(buf), 
"veth[%s]:%s", eth, veth);
+   if (ret < 0 || ret >= sizeof(buf))
+   goto err;
+   break;
+   case LXC_NET_MACVLAN:
+   if (n->name) {
+   if (strlen(n->name) >= sizeof(eth))
+   goto err;
+

[lxc-devel] [lxd/master] Hook cleanup

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2548

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From a03d267d38fe3c66c725ebd671d0323cc1743451 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 24 Oct 2016 18:33:32 +
Subject: [PATCH 1/2] also clean up apparmor stuff in OnStart when something
 fails

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 7170548..ff048d8 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1569,6 +1569,7 @@ func (c *containerLXC) OnStart() error {
// Run any template that needs running
err = c.templateApplyNow(c.localConfig[key])
if err != nil {
+   AADestroy(c)
c.StorageStop()
return err
}
@@ -1576,6 +1577,7 @@ func (c *containerLXC) OnStart() error {
// Remove the volatile key from the DB
err := dbContainerConfigRemove(c.daemon.db, c.id, key)
if err != nil {
+   AADestroy(c)
c.StorageStop()
return err
}
@@ -1583,6 +1585,7 @@ func (c *containerLXC) OnStart() error {
 
err = c.templateApplyNow("start")
if err != nil {
+   AADestroy(c)
c.StorageStop()
return err
}

From 8f5d0ef5e3ee447546f2991ba565225f7776c2dd Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 24 Oct 2016 18:38:25 +
Subject: [PATCH 2/2] log OnStart/OnStop hook errors

The problem here is that liblxc doesn't log errors in hooks, it just logs
the exit code, so if a hook fails and someone isn't running in debug mode,
we really have no way to figure out what went wrong. Let's at least log the
error that the hook gave.

Signed-off-by: Tycho Andersen 
---
 lxd/api_internal.go | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/lxd/api_internal.go b/lxd/api_internal.go
index ad32446..51c11e3 100644
--- a/lxd/api_internal.go
+++ b/lxd/api_internal.go
@@ -6,6 +6,10 @@ import (
"strconv"
 
"github.com/gorilla/mux"
+
+   "github.com/lxc/lxd/shared"
+
+   log "gopkg.in/inconshreveable/log15.v2"
 )
 
 var apiInternal = []Command{
@@ -55,6 +59,7 @@ func internalContainerOnStart(d *Daemon, r *http.Request) 
Response {
 
err = c.OnStart()
if err != nil {
+   shared.Log.Error("start hook failed", log.Ctx{"container": 
c.Name(), "err": err})
return SmartError(err)
}
 
@@ -79,6 +84,7 @@ func internalContainerOnStop(d *Daemon, r *http.Request) 
Response {
 
err = c.OnStop(target)
if err != nil {
+   shared.Log.Error("stop hook failed", log.Ctx{"container": 
c.Name(), "err": err})
return SmartError(err)
}
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] set term to "dumb" on windows

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2536

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #2288

Signed-off-by: Tycho Andersen 






  http://ogp.me/ns# fb: http://ogp.me/ns/fb# object: 
http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: 
http://ogp.me/ns/profile#;>



https://assets-cdn.github.com/assets/frameworks-c9020771a6e4b810195b987de791bff4abe1e67919fffc787d4422b02a203d5f.css;
 media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/github-5d695a93fa4ee78613c8e772394eae10e6711d76be0777d53950b7ab3fd92b63.css;
 media="all" rel="stylesheet" />


https://assets-cdn.github.com/assets/site-4a18dc1c93cc7113ea22c7c6b62826f621b52a57f32caea97c682100ac10de36.css;
 media="all" rel="stylesheet" />






set term to dumb on windows by tych0 · Pull Request 
#2536 · lxc/lxd · GitHub

https://github.com/fluidicon.png; 
title="GitHub">












  https://avatars3.githubusercontent.com/u/785111?v=3s=400; 
name="twitter:image:src" />
  https://avatars3.githubusercontent.com/u/785111?v=3s=400; 
property="og:image" />https://github.com/lxc/lxd/pull/2536; 
property="og:url" />
  https://api.github.com/_private/browser/stats;>
https://api.github.com/_private/browser/errors;>
https://assets-cdn.github.com/;>


















  







  


  https://assets-cdn.github.com/pinned-octocat.svg; color="#4078c0">
  https://assets-cdn.github.com/favicon.ico;>








span.labelstyle-0052cc, .linked-labelstyle-0052cc {  background-color: 
#0052cc !important;  color: #fff !important;}.labelstyle-0052cc.selected {  
background-color: #0052cc !important;  color: #fff 
!important;}.label-select-menu .labelstyle-0052cc.selected {  
background:rgba(0, 82, 204, 0.12) !important;  color: #003d99 !important;}

span.labelstyle-006b75, .linked-labelstyle-006b75 {  background-color: #006b75 
!important;  color: #fff !important;}.labelstyle-006b75.selected {  
background-color: #006b75 !important;  color: #fff 
!important;}.label-select-menu .labelstyle-006b75.selected {  
background:rgba(0, 107, 117, 0.12) !important;  color: #008b99 !important;}

span.labelstyle-eb6420, .linked-labelstyle-eb6420 {  background-color: #eb6420 
!important;  color: #fff !important;}.labelstyle-eb6420.selected {  
background-color: #eb6420 !important;  color: #fff 
!important;}.label-select-menu .labelstyle-eb6420.selected {  
background:rgba(235, 100, 32, 0.12) !important;  color: #994114 !important;}

span.labelstyle-fbca04, .linked-labelstyle-fbca04 {  background-color: #fbca04 
!important;  color: #332900 !important;}.labelstyle-fbca04.selected {  
background-color: #fbca04 !important;  color: #332900 
!important;}.label-select-menu .labelstyle-fbca04.selected {  
background:rgba(251, 202, 4, 0.12) !important;  color: #997b02 !important;}

span.labelstyle-009800, .linked-labelstyle-009800 {  background-color: #009800 
!important;  color: #fff !important;}.labelstyle-009800.selected {  
background-color: #009800 !important;  color: #fff 
!important;}.label-select-menu .labelstyle-009800.selected {  
background:rgba(0, 152, 0, 0.12) !important;  color: #009900 !important;}

span.labelstyle-84b6eb, .linked-labelstyle-84b6eb {  background-color: #84b6eb 
!important;  color: #1c2733 !important;}.labelstyle-84b6eb.selected {  
background-color: #84b6eb !important;  color: #1c2733 
!important;}.label-select-menu .labelstyle-84b6eb.selected {  
background:rgba(132, 182, 235, 0.12) !important;  color: #557699 !important;}

span.labelstyle-5319e7, .linked-labelstyle-5319e7 {  background-color: #5319e7 
!important;  color: #fff !important;}.labelstyle-5319e7.selected {  
background-color: #5319e7 !important;  color: #fff 
!important;}.label-select-menu .labelstyle-5319e7.selected {  
background:rgba(83, 25, 231, 0.12) !important;  color: #361099 !important;}

span.labelstyle-d4c5f9, .linked-labelstyle-d4c5f9 {  background-color: #d4c5f9 
!important;  color: #2b2833 !important;}.labelstyle-d4c5f9.selected {  
background-color: #d4c5f9 !important;  color: #2b2833 
!important;}.label-select-menu .labelstyle-d4c5f9.selected {  
background:rgba(212, 197, 249, 0.12) !important;  color: #827999 !important;}

span.labelstyle-e11d21, .linked-labelstyle-e11d21 {  background-color: #e11d21 
!important;  color: #fff !important;}.labelstyle-e11d21.selected {  
background-color: #e11d21 !important;  color: #fff 
!important;}.label-select-menu .labelstyle-e11d21.selected {  
background:rgba(225, 29, 33, 0.12) !important;  color: #991316 !important;}
  

  
  https://github.com/lxc/lxd.git;>

[lxc-devel] [lxd/master] lxd netcat: remove debugging by file creation

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2492

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Don't mind me, I'm a barbarian.

Signed-off-by: Tycho Andersen 
From f5e435c8a07d1ea1f96a27639732d489e69c2485 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 13 Oct 2016 17:57:13 -0600
Subject: [PATCH] lxd netcat: remove debugging by file creation

Don't mind me, I'm a barbarian.

Signed-off-by: Tycho Andersen 
---
 lxd/rsync.go | 8 
 1 file changed, 8 deletions(-)

diff --git a/lxd/rsync.go b/lxd/rsync.go
index 22f2143..6369d1c 100644
--- a/lxd/rsync.go
+++ b/lxd/rsync.go
@@ -198,22 +198,14 @@ func Netcat(args []string) error {
 
go func() {
io.Copy(os.Stdout, conn)
-   f, _ := os.Create("/tmp/done_stdout")
-   f.Close()
conn.Close()
-   f, _ = os.Create("/tmp/done_close")
-   f.Close()
wg.Done()
}()
 
go func() {
io.Copy(conn, os.Stdin)
-   f, _ := os.Create("/tmp/done_stdin")
-   f.Close()
}()
 
-   f, _ := os.Create("/tmp/done_spawning_goroutines")
-   f.Close()
wg.Wait()
 
return nil
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] migrate: don't use ActionScript if it's not available

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2454

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 0d5b05c3f501159ca4a743790564c46b5e2948a2 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 4 Oct 2016 16:35:42 +
Subject: [PATCH] migrate: don't use ActionScript if it's not available

Signed-off-by: Tycho Andersen 
---
 lxd/migrate.go | 172 +
 1 file changed, 88 insertions(+), 84 deletions(-)

diff --git a/lxd/migrate.go b/lxd/migrate.go
index 947fd1c..2a10261 100644
--- a/lxd/migrate.go
+++ b/lxd/migrate.go
@@ -386,98 +386,102 @@ func (s *migrationSourceWs) Do(migrateOp *operation) 
error {
return abort(fmt.Errorf("Formats other than criu rsync 
not understood"))
}
 
-   /* What happens below is slightly convoluted. Due to various
-* complications with networking, there's no easy way for criu
-* to exit and leave the container in a frozen state for us to
-* somehow resume later.
-*
-* Instead, we use what criu calls an "action-script", which is
-* basically a callback that lets us know when the dump is
-* done. (Unfortunately, we can't pass arguments, just an
-* executable path, so we write a custom action script with the
-* real command we want to run.)
-*
-* This script then hangs until the migration operation either
-* finishes successfully or fails, and exits 1 or 0, which
-* causes criu to either leave the container running or kill it
-* as we asked.
-*/
-   dumpDone := make(chan bool, 1)
-   actionScriptOpSecret, err := shared.RandomCryptoString()
-   if err != nil {
-   return abort(err)
-   }
-
-   actionScriptOp, err := operationCreate(
-   operationClassWebsocket,
-   nil,
-   nil,
-   func(op *operation) error {
-   _, err := migrateOp.WaitFinal(-1)
-   if err != nil {
-   return err
-   }
-
-   if migrateOp.status != shared.Success {
-   return fmt.Errorf("restore failed: %s", 
op.status.String())
-   }
-   return nil
-   },
-   nil,
-   func(op *operation, r *http.Request, w 
http.ResponseWriter) error {
-   secret := r.FormValue("secret")
-   if secret == "" {
-   return fmt.Errorf("missing secret")
-   }
-
-   if secret != actionScriptOpSecret {
-   return os.ErrPermission
-   }
-
-   c, err := shared.WebsocketUpgrader.Upgrade(w, 
r, nil)
-   if err != nil {
-   return err
-   }
-
-   dumpDone <- true
-
-   closeMsg := 
websocket.FormatCloseMessage(websocket.CloseNormalClosure, "")
-   return c.WriteMessage(websocket.CloseMessage, 
closeMsg)
-   },
-   )
-   if err != nil {
-   return abort(err)
-   }
-
checkpointDir, err := ioutil.TempDir("", "lxd_checkpoint_")
if err != nil {
return abort(err)
}
+   defer os.RemoveAll(checkpointDir)
+
+   if lxc.VersionAtLeast(2, 0, 4) {
+   /* What happens below is slightly convoluted. Due to 
various
+* complications with networking, there's no easy way 
for criu
+* to exit and leave the container in a frozen state 
for us to
+* somehow resume later.
+*
+* Instead, we use what criu calls an "action-script", 
which is
+* basically a callback that lets us know when the dump 
is
+* done. (Unfortunately, we can't pass arguments, just 
an
+* 

[lxc-devel] [lxd/master] allow nil network config

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2437

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 8f856e40d65f3c3e2f60c7d945e11fcf27e7cbc3 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 29 Sep 2016 22:13:22 +
Subject: [PATCH] allow nil network config

Signed-off-by: Tycho Andersen 
---
 lxd/networks.go | 4 
 1 file changed, 4 insertions(+)

diff --git a/lxd/networks.go b/lxd/networks.go
index c27b12d..a85a0dd 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -84,6 +84,10 @@ func networksPost(d *Daemon, r *http.Request) Response {
return BadRequest(fmt.Errorf("The network already exists"))
}
 
+   if req.Config == nil {
+   req.Config = map[string]string{}
+   }
+
err = networkValidateConfig(req.Name, req.Config)
if err != nil {
return BadRequest(err)
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] include remote name in pretty printed error message

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2400

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
output now looks like:

~/packages/go/src/github.com/lxc/lxd master lxc start kernel:foo2
error: Missing parent 'lxcbr0' for nic 'eth0'
Try `lxc info --show-log kernel:foo2` for more info

Closes #1843

Signed-off-by: Tycho Andersen 
From 238822d060b6533a1adbf99901e39dd2737344ed Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 19 Sep 2016 09:57:39 -0600
Subject: [PATCH] include remote name in pretty printed error message

output now looks like:

~/packages/go/src/github.com/lxc/lxd master lxc start kernel:foo2
error: Missing parent 'lxcbr0' for nic 'eth0'
Try `lxc info --show-log kernel:foo2` for more info

Closes #1843

Signed-off-by: Tycho Andersen 
---
 lxc/launch.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxc/launch.go b/lxc/launch.go
index c180704..f68e2c6 100644
--- a/lxc/launch.go
+++ b/lxc/launch.go
@@ -129,7 +129,7 @@ func (c *launchCmd) run(config *lxd.Config, args []string) 
error {
 
err = d.WaitForSuccess(resp.Operation)
if err != nil {
-   return fmt.Errorf("%s\n"+i18n.G("Try `lxc info --show-log %s` 
for more info"), err, name)
+   return fmt.Errorf("%s\n"+i18n.G("Try `lxc info --show-log 
%s:%s` for more info"), err, remote, name)
}
 
return nil
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] Cgroup root on dump

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1194

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This is a fix for one of the issues mentioned in #1156; see the 4th patch in the series for the bulk of the fix.  The CRIU commit in question went into criu-dev today, and should be in 2.7.
From 5f178bc983a7050205b0ba374163646e9e378cf6 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 12 Sep 2016 18:04:18 +
Subject: [PATCH 1/6] c/r: fix typo in comment

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 71c9b9c..2799102 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -140,7 +140,7 @@ static void exec_criu(struct criu_opts *opts)
 
/* The command line always looks like:
 * criu $(action) --tcp-established --file-locks --link-remap \
-* --manage-cgroups=full action-script foo.sh -D $(directory) \
+* --manage-cgroups=full --action-script foo.sh -D $(directory) \
 * -o $(directory)/$(action).log --ext-mount-map auto
 * --enable-external-sharing --enable-external-masters
 * --enable-fs hugetlbfs --enable-fs tracefs --ext-mount-map 
console:/dev/pts/n

From 36662416441b051bf9d3bb0e1b5d08a61b3a6420 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 14 Sep 2016 14:38:46 +
Subject: [PATCH 2/6] cgroup: add new functions for interacting with hierachies

N.B. that these are only implemented in cgfsng, but,

15:28:28tych0 | do we still use cgfs anywhere? or the cgm backend?
15:29:19 stgraber | not anywhere we care about

...I think that's okay.

Signed-off-by: Tycho Andersen 
---
 src/lxc/cgroups/cgfs.c  | 14 ++
 src/lxc/cgroups/cgfsng.c| 27 +++
 src/lxc/cgroups/cgmanager.c | 14 ++
 src/lxc/cgroups/cgroup.c| 16 
 src/lxc/cgroups/cgroup.h|  4 
 5 files changed, 75 insertions(+)

diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
index 2d0de0c..80a336d 100644
--- a/src/lxc/cgroups/cgfs.c
+++ b/src/lxc/cgroups/cgfs.c
@@ -2434,6 +2434,18 @@ static bool cgfs_escape(void *hdata)
return ret;
 }
 
+static int cgfs_num_hierarchies(void)
+{
+   /* not implemented */
+   return -1;
+}
+
+static bool cgfs_get_hierarchies(int i, char ***out)
+{
+   /* not implemented */
+   return false;
+}
+
 static bool cgfs_unfreeze(void *hdata)
 {
struct cgfs_data *d = hdata;
@@ -2627,6 +2639,8 @@ static struct cgroup_ops cgfs_ops = {
.get_cgroup = cgfs_get_cgroup,
.canonical_path = cgfs_canonical_path,
.escape = cgfs_escape,
+   .num_hierarchies = cgfs_num_hierarchies,
+   .get_hierarchies = cgfs_get_hierarchies,
.get = lxc_cgroupfs_get,
.set = lxc_cgroupfs_set,
.unfreeze = cgfs_unfreeze,
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 95f29ca..5b61554 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1457,6 +1457,31 @@ static bool cgfsng_escape()
return ret;
 }
 
+static int cgfsng_num_hierarchies(void)
+{
+   int i;
+
+   for (i = 0; hierarchies[i]; i++)
+   ;
+
+   return i;
+}
+
+static bool cgfsng_get_hierarchies(int n, char ***out)
+{
+   int i;
+
+   /* sanity check n */
+   for (i = 0; i < n; i++) {
+   if (!hierarchies[i])
+   return false;
+   }
+
+   *out = hierarchies[i]->controllers;
+
+   return true;
+}
+
 #define THAWED "THAWED"
 #define THAWED_LEN (strlen(THAWED))
 
@@ -1674,6 +1699,8 @@ static struct cgroup_ops cgfsng_ops = {
.enter = cgfsng_enter,
.canonical_path = cgfsng_canonical_path,
.escape = cgfsng_escape,
+   .num_hierarchies = cgfsng_num_hierarchies,
+   .get_hierarchies = cgfsng_get_hierarchies,
.get_cgroup = cgfsng_get_cgroup,
.get = cgfsng_get,
.set = cgfsng_set,
diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c
index 4da891d..f14eb17 100644
--- a/src/lxc/cgroups/cgmanager.c
+++ b/src/lxc/cgroups/cgmanager.c
@@ -337,6 +337,18 @@ static bool cgm_escape(void *hdata)
return ret;
 }
 
+static int cgm_num_hierarchies(void)
+{
+   /* not implemented */
+   return -1;
+}
+
+static bool cgm_get_hierarchies(int i, char ***out)
+{
+   /* not implemented */
+   return false;
+}
+
 struct chown_data {
const char *cgroup_path;
uid_t origuid;
@@ -1657,6 +1669,8 @@ static struct cgroup_ops cgmanager_ops = {
.get_cgroup = cgm_get_cgroup,
.canonical_path = cgm_canonical_path,

[lxc-devel] [lxd/master] Fix cross fs migration

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2384

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From f36ac9dfad74f98b94f8588f1911eaa0cf8afecd Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 15 Sep 2016 13:13:30 +
Subject: [PATCH 1/2] actually support copying across different CoW based
 backend types

Closes #2359

Signed-off-by: Tycho Andersen 
---
 lxd/migrate.go   |  35 +---
 lxd/storage.go   | 112 +--
 lxd/storage_btrfs.go |  27 +++--
 lxd/storage_dir.go   |   4 +-
 lxd/storage_lvm.go   |   4 +-
 lxd/storage_zfs.go   |  66 +-
 6 files changed, 176 insertions(+), 72 deletions(-)

diff --git a/lxd/migrate.go b/lxd/migrate.go
index 5377a61..a5ad1ad 100644
--- a/lxd/migrate.go
+++ b/lxd/migrate.go
@@ -582,32 +582,6 @@ func (c *migrationSink) do() error {
imagesDir := ""
srcIdmap := new(shared.IdmapSet)
 
-   snapshots := []container{}
-   for _, snap := range header.Snapshots {
-   // TODO: we need to propagate snapshot configurations
-   // as well. Right now the container configuration is
-   // done through the initial migration post. Should we
-   // post the snapshots and their configs as well, or do
-   // it some other way?
-   name := c.container.Name() + shared.SnapshotDelimiter + 
snap
-   args := containerArgs{
-   Ctype:cTypeSnapshot,
-   Config:   c.container.LocalConfig(),
-   Profiles: c.container.Profiles(),
-   Ephemeral:c.container.IsEphemeral(),
-   Architecture: c.container.Architecture(),
-   Devices:  c.container.LocalDevices(),
-   Name: name,
-   }
-
-   ct, err := 
containerCreateEmptySnapshot(c.container.Daemon(), args)
-   if err != nil {
-   restore <- err
-   return
-   }
-   snapshots = append(snapshots, ct)
-   }
-
for _, idmap := range header.Idmap {
e := shared.IdmapEntry{
Isuid:*idmap.Isuid,
@@ -626,7 +600,7 @@ func (c *migrationSink) do() error {
 */
fsTransfer := make(chan error)
go func() {
-   if err := mySink(c.live, c.container, snapshots, 
c.fsConn); err != nil {
+   if err := mySink(c.live, c.container, header.Snapshots, 
c.fsConn, srcIdmap); err != nil {
fsTransfer <- err
return
}
@@ -670,13 +644,6 @@ func (c *migrationSink) do() error {
 
}
 
-   for _, snap := range snapshots {
-   if err := ShiftIfNecessary(snap, srcIdmap); err != nil {
-   restore <- err
-   return
-   }
-   }
-
restore <- nil
}(c)
 
diff --git a/lxd/storage.go b/lxd/storage.go
index 7d92d16..4af2b28 100644
--- a/lxd/storage.go
+++ b/lxd/storage.go
@@ -192,7 +192,7 @@ type storage interface {
// already present on the target instance as an exercise for the
// enterprising developer.
MigrationSource(container container) (MigrationStorageSourceDriver, 
error)
-   MigrationSink(live bool, container container, objects []container, conn 
*websocket.Conn) error
+   MigrationSink(live bool, container container, objects []string, conn 
*websocket.Conn, srcIdmap *shared.IdmapSet) error
 }
 
 func newStorage(d *Daemon, sType storageType) (storage, error) {
@@ -556,19 +556,15 @@ func (lw *storageLogWrapper) MigrationSource(container 
container) (MigrationStor
return lw.w.MigrationSource(container)
 }
 
-func (lw *storageLogWrapper) MigrationSink(live bool, container container, 
objects []container, conn *websocket.Conn) error {
-   objNames := []string{}
-   for _, obj := range objects {
-   objNames = append(objNames, obj.Name())
-   }
-
+func (lw *storageLogWrapper) MigrationSink(live bool, container container, 
objects []string, conn *websocket.Conn, srcIdmap *shared.IdmapSet) error {
lw.log.Debug("MigrationSink", log.Ctx{
"live":  live,
  

[lxc-devel] [lxc/master] c/r: free valid_opts if necessary

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1185

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
2cb80427bc468f7647309c3eca66cfc9afa85b61 introduced a malloc without a
matching free.

Signed-off-by: Tycho Andersen 
From f686506dfb2a7fe61b4ff1b3192bef6db19be2ac Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 13 Sep 2016 16:42:20 -0600
Subject: [PATCH] c/r: free valid_opts if necessary

2cb80427bc468f7647309c3eca66cfc9afa85b61 introduced a malloc without a
matching free.

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxccontainer.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index c02e587..a1c94a1 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -4007,6 +4007,9 @@ static int do_lxcapi_migrate(struct lxc_container *c, 
unsigned int cmd,
ret = -EINVAL;
}
 
+   if (size < sizeof(*opts))
+   free(valid_opts);
+
return ret;
 }
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: zero a smaller than known migrate_opts struct

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1177

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 2cb80427bc468f7647309c3eca66cfc9afa85b61 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 8 Sep 2016 09:14:42 -0600
Subject: [PATCH] c/r: zero a smaller than known migrate_opts struct

Signed-off-by: Tycho Andersen 
---
 src/lxc/lxccontainer.c | 20 +---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 5721977..c02e587 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -3960,6 +3960,7 @@ static int do_lxcapi_migrate(struct lxc_container *c, 
unsigned int cmd,
 struct migrate_opts *opts, unsigned int size)
 {
int ret;
+   struct migrate_opts *valid_opts = opts;
 
/* If the caller has a bigger (newer) struct migrate_opts, let's make
 * sure that the stuff on the end is zero, i.e. that they didn't ask us
@@ -3978,15 +3979,28 @@ static int do_lxcapi_migrate(struct lxc_container *c, 
unsigned int cmd,
}
}
 
+   /* If the caller has a smaller struct, let's zero out the end for them
+* so we don't accidentally use bits of it that they didn't know about
+* to initialize.
+*/
+   if (size < sizeof(*opts)) {
+   valid_opts = malloc(sizeof(*opts));
+   if (!valid_opts)
+   return -ENOMEM;
+
+   memset(valid_opts, 0, sizeof(*opts));
+   memcpy(valid_opts, opts, size);
+   }
+
switch (cmd) {
case MIGRATE_PRE_DUMP:
-   ret = !__criu_pre_dump(c, opts);
+   ret = !__criu_pre_dump(c, valid_opts);
break;
case MIGRATE_DUMP:
-   ret = !__criu_dump(c, opts);
+   ret = !__criu_dump(c, valid_opts);
break;
case MIGRATE_RESTORE:
-   ret = !__criu_restore(c, opts);
+   ret = !__criu_restore(c, valid_opts);
break;
default:
ERROR("invalid migrate command %u", cmd);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: use /proc/self/tid/children instead of pidfile

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1152

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).

In any case, we can just read /proc/self/tid/children, which lists the
child process.

Closes #1150

Signed-off-by: Tycho Andersen 
From 9e77dc1781be15d4ca7a85aab5a8ac85b9db4bef Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 26 Aug 2016 16:07:19 +
Subject: [PATCH] c/r: use /proc/self/tid/children instead of pidfile

All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).

In any case, we can just read /proc/self/tid/children, which lists the
child process.

Closes #1150

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 38 ++
 1 file changed, 14 insertions(+), 24 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 65998ed..f053e32 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -69,7 +69,6 @@ struct criu_opts {
char tty_id[32]; /* the criu tty id for /dev/console, i.e. 
"tty[${rdev}:${dev}]" */
 
/* restore: the file to write the init process' pid into */
-   char *pidfile;
const char *cgroup_path;
int console_fd;
/* The path that is bind mounted from /dev/console, if any. We don't
@@ -176,10 +175,10 @@ static void exec_criu(struct criu_opts *opts)
static_args += 2;
} else if (strcmp(opts->action, "restore") == 0) {
/* --root $(lxc_mount_point) --restore-detached
-* --restore-sibling --pidfile $foo --cgroup-root $foo
+* --restore-sibling --cgroup-root $foo
 * --lsm-profile apparmor:whatever
 */
-   static_args += 10;
+   static_args += 8;
 
tty_info[0] = 0;
if (load_tty_major_minor(opts->user->directory, tty_info, 
sizeof(tty_info)))
@@ -330,8 +329,6 @@ static void exec_criu(struct criu_opts *opts)
DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
DECLARE_ARG("--restore-detached");
DECLARE_ARG("--restore-sibling");
-   DECLARE_ARG("--pidfile");
-   DECLARE_ARG(opts->pidfile);
DECLARE_ARG("--cgroup-root");
DECLARE_ARG(opts->cgroup_path);
 
@@ -604,13 +601,8 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
 {
pid_t pid;
struct lxc_handler *handler;
-   int fd, status;
+   int status;
int pipes[2] = {-1, -1};
-   char pidfile[] = "criu_restore_XX";
-
-   fd = mkstemp(pidfile);
-   if (fd < 0)
-   goto out;
 
handler = lxc_init(c->name, c->lxc_conf, c->config_path);
if (!handler)
@@ -690,7 +682,6 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
os.action = "restore";
os.user = opts;
os.c = c;
-   os.pidfile = pidfile;
os.cgroup_path = cgroup_canonical_path(handler);
os.console_fd = c->lxc_conf->console.slave;
os.criu_version = criu_version;
@@ -742,8 +733,9 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
}
 
if (WIFEXITED(status)) {
+   char buf[4096];
+
if (WEXITSTATUS(status)) {
-   char buf[4096];
int n;
 
n = read(pipes[0], buf, sizeof(buf));
@@ -758,18 +750,21 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
goto out_fini_handler;
} else {
int ret;
-   FILE *f = fdopen(fd, "r");
+
+   ret = snprintf(buf, sizeof(buf), "/proc/self/%" 
PRId64 "/children", syscall(__NR_gettid));
+   if (ret < 0 || ret >= sizeof(buf)) {
+   ERROR("snprintf'd too many characters: 
%d", ret);
+   goto out_fini_handler;
+   }
+
+   

[lxc-devel] [lxd/master] minor USB fixes

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2315

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
* do a deep copy of the device entry so config doesn't accidentally get
  saved in the DB
* remember to remove the bus directory when a USB device goes away
* remove unused param to insertUnixDevice()

Closes #2306
Closes #2312

Signed-off-by: Tycho Andersen 
From 9e86e8f6e5cff63f10744f4847f501f623b39320 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 25 Aug 2016 10:56:57 -0400
Subject: [PATCH] minor USB fixes

* do a deep copy of the device entry so config doesn't accidentally get
  saved in the DB
* remember to remove the bus directory when a USB device goes away
* remove unused param to insertUnixDevice()

Closes #2306
Closes #2312

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 80 +---
 lxd/devices.go   | 14 ++---
 2 files changed, 59 insertions(+), 35 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 67d0068..50a1ec9 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1130,12 +1130,17 @@ func (c *containerLXC) startCommon() (string, error) {
}
}
 
-   m["major"] = fmt.Sprintf("%d", usb.major)
-   m["minor"] = fmt.Sprintf("%d", usb.minor)
-   m["path"] = usb.path
+   temp := shared.Device{}
+   if err := shared.DeepCopy(, ); err != 
nil {
+   return "", err
+   }
+
+   temp["major"] = fmt.Sprintf("%d", usb.major)
+   temp["minor"] = fmt.Sprintf("%d", usb.minor)
+   temp["path"] = usb.path
 
/* it's ok to fail, the device might be hot 
plugged later */
-   _, err := c.createUnixDevice(m)
+   _, err := c.createUnixDevice(temp)
if err != nil {
shared.Log.Debug("failed to create usb 
device", log.Ctx{"err": err, "device": k})
continue
@@ -2516,27 +2521,17 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
continue
}
 
-   m["major"] = fmt.Sprintf("%d", 
usb.major)
-   m["minor"] = fmt.Sprintf("%d", 
usb.minor)
-   m["path"] = usb.path
-
-   err = c.removeUnixDevice(m)
+   err := c.removeUSBDevice(m, usb)
if err != nil {
-   shared.Log.Error("failed to 
remove usb device", log.Ctx{"err": err, "usb": usb, "container": c.Name()})
+   return err
}
-
-   /* ok to fail here, there may be other 
usb
-* devices on this bus still left in the
-* container
-*/
-   os.Remove(filepath.Dir(usb.path))
}
}
}
 
for k, m := range addDevices {
if shared.StringInSlice(m["type"], 
[]string{"unix-char", "unix-block"}) {
-   err = c.insertUnixDevice(k, m)
+   err = c.insertUnixDevice(m)
if err != nil {
return err
}
@@ -2563,11 +2558,7 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
continue
}
 
-   m["major"] = fmt.Sprintf("%d", 
usb.major)
-   m["minor"] = fmt.Sprintf("%d", 
usb.minor)
-   m["path"] = usb.path
-
-   err = c.insertUnixDevice(k, m)
+   err = c.insertUSBDevice(m, usb)
if err != nil {
   

[lxc-devel] [lxd/master] try to remove the usb bus dir after device disconnect

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2308

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
As the comment notes, it's okay to fail because there may be other USB
devices still connected.

Also, I need to find a USB device SWAG because I didn't bring one to this
conference and so I don't really have a way to test this, but I think this
will do it right :)

Closes #2306

Signed-off-by: Tycho Andersen 
From 9a2b1ba3a0ea9db93c345a228c52f9e3f633293e Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 23 Aug 2016 10:12:56 -0400
Subject: [PATCH] try to remove the usb bus dir after device disconnect

As the comment notes, it's okay to fail because there may be other USB
devices still connected.

Also, I need to find a USB device SWAG because I didn't bring one to this
conference and so I don't really have a way to test this, but I think this
will do it right :)

Closes #2306

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 6 ++
 lxd/devices.go   | 6 ++
 2 files changed, 12 insertions(+)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 8982e88..67d0068 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2524,6 +2524,12 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
if err != nil {
shared.Log.Error("failed to 
remove usb device", log.Ctx{"err": err, "usb": usb, "container": c.Name()})
}
+
+   /* ok to fail here, there may be other 
usb
+* devices on this bus still left in the
+* container
+*/
+   os.Remove(filepath.Dir(usb.path))
}
}
}
diff --git a/lxd/devices.go b/lxd/devices.go
index a846b9e..ab51902 100644
--- a/lxd/devices.go
+++ b/lxd/devices.go
@@ -507,6 +507,12 @@ func deviceUSBEvent(d *Daemon, usb usbDevice) {
shared.Log.Error("failed to remove usb 
device", log.Ctx{"err": err, "usb": usb, "container": c.Name()})
return
}
+
+   /* ok to fail here, there may be other usb
+* devices on this bus still left in the
+* container
+*/
+   os.Remove(filepath.Dir(usb.path))
} else {
shared.Log.Error("unknown action for usb 
device", log.Ctx{"usb": usb})
continue
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] retry generating petnames

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2307

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
newer versions of petname have a smaller name list, which increases the
liklehood of conflicts. let's retry a few times to avoid them.

Signed-off-by: Tycho Andersen 
From 59cf54df5164db543c03df9b64e5d10d505d2527 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 23 Aug 2016 09:56:33 -0400
Subject: [PATCH] retry generating petnames

newer versions of petname have a smaller name list, which increases the
liklehood of conflicts. let's retry a few times to avoid them.

Signed-off-by: Tycho Andersen 
---
 lxd/containers_post.go | 18 +-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lxd/containers_post.go b/lxd/containers_post.go
index fe44fd5..10bac2f 100644
--- a/lxd/containers_post.go
+++ b/lxd/containers_post.go
@@ -394,7 +394,23 @@ func containersPost(d *Daemon, r *http.Request) Response {
}
 
if req.Name == "" {
-   req.Name = strings.ToLower(petname.Generate(2, "-"))
+   cs, err := dbContainersList(d.db, cTypeRegular)
+   if err != nil {
+   return InternalError(err)
+   }
+
+   i := 0
+   for {
+   i++
+   req.Name = strings.ToLower(petname.Generate(2, "-"))
+   if !shared.StringInSlice(req.Name, cs) {
+   break
+   }
+
+   if i > 100 {
+   return InternalError(fmt.Errorf("couldn't 
generate a new unique name after 100 tries"))
+   }
+   }
shared.Debugf("No name provided, creating %s", req.Name)
}
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] make TestReaderToChannel transfer smaller

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2292

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We get intermittent failures like the one below. It looks like the problem is
that the test runners don't have enough randomness to fill up a 64 MB buffer,
so they just fail. Since the point of this test really is to test anything >
the default buffer size which is 128k, 1MB should suffice, and will hopefully
cut down on eating all the entropy from the test runners.

=== RUN   TestReaderToChannel
SIGQUIT: quit
PC=0x45fbe1 m=0

goroutine 0 [idle]:
runtime.futex(0x9f3a90, 0x0, 0x0, 0x0, 0x0, 0x9f3360, 0x0, 0x0, 0x7ffe2e658080, 0x40ff52, ...)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/sys_linux_amd64.s:387 +0x21
runtime.futexsleep(0x9f3a90, 0x0, 0x)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/os_linux.go:45 +0x62
runtime.notesleep(0x9f3a90)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/lock_futex.go:145 +0x82
runtime.stopm()
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/proc.go:1594 +0xad
runtime.findrunnable(0xc420022000, 0x0)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/proc.go:2021 +0x228
runtime.schedule()
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/proc.go:2120 +0x14c
runtime.park_m(0xc420095040)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/proc.go:2183 +0x123
runtime.mcall(0x7ffe2e658220)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/asm_amd64.s:240 +0x5b

goroutine 1 [chan receive, 9 minutes]:
testing.(*T).Run(0xc42009a0c0, 0x6bedb9, 0x13, 0x6dedf0, 0xc42005bd01)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:647 +0x316
testing.RunTests.func1(0xc42009a0c0)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:793 +0x6d
testing.tRunner(0xc42009a0c0, 0xc42004be30)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:610 +0x81
testing.RunTests(0x6dee70, 0x9d7e20, 0x6, 0x6, 0x9e0d00)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:799 +0x2f5
testing.(*M).Run(0xc42004bef8, 0xc4200d9360)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:743 +0x85
main.main()
	github.com/lxc/lxd/shared/_test/_testmain.go:64 +0xc6

goroutine 17 [syscall, 9 minutes, locked to thread]:
runtime.goexit()
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/asm_amd64.s:2086 +0x1

goroutine 23 [syscall, 6 minutes]:
syscall.Syscall(0x13e, 0xc4224abfff, 0x201, 0x0, 0xc420048c38, 0x499389, 0xa0f538)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/syscall/asm_linux_amd64.s:18 +0x5
internal/syscall/unix.GetRandom(0xc4224abfff, 0x201, 0x201, 0x0, 0xc420048c90, 0x455b20, 0xc4200162c0)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/internal/syscall/unix/getrandom_linux.go:41 +0xdb
crypto/rand.getRandomLinux(0xc4224abfff, 0x201, 0x201, 0xc)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/crypto/rand/rand_linux.go:37 +0x73
crypto/rand.(*devReader).Read(0xc4200124b0, 0xc4224abfff, 0x201, 0x201, 0x0, 0x0, 0x0)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/crypto/rand/rand_unix.go:48 +0x423
io.ReadAtLeast(0x9dbc80, 0xc4200124b0, 0xc4204ac000, 0x400, 0x400, 0x400, 0xc420358e20, 0x1, 0xc420358e68)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/io/io.go:307 +0xa4
io.ReadFull(0x9dbc80, 0xc4200124b0, 0xc4204ac000, 0x400, 0x400, 0xc4200109a0, 0xc42046e018, 0x2000107)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/io/io.go:325 +0x58
crypto/rand.Read(0xc4204ac000, 0x400, 0x400, 0xc4204ac000, 0x400, 0x400)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/crypto/rand/rand.go:23 +0x57
github.com/lxc/lxd/shared.TestReaderToChannel(0xc42009a540)
	/lxd/build/tmp.qQKnZ6Eutl/go/src/github.com/lxc/lxd/shared/util_test.go:108 +0x85
testing.tRunner(0xc42009a540, 0x6dedf0)
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:610 +0x81
created by testing.(*T).Run
	/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/testing/testing.go:646 +0x2ec

Signed-off-by: Tycho Andersen 
From 936bc3b5c79cd58736432780a649e0f53c74aac6 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 17 Aug 2016 10:03:41 -0600
Subject: [PATCH] make TestReaderToChannel transfer smaller

We get intermittent failures like the one below. It looks like the problem is
that the test runners don't have enough randomness to fill up a 64 MB buffer,
so they just fail. Since the point of this test really is to test anything >
the default buffer size which is 128k, 1MB should suffice, and will hopefully
cut down on eating all the entropy from the test runners.

=== RUN   TestReaderToChannel
SIGQUIT: quit
PC=0x45fbe1 m=0

goroutine 0 [idle]:
runtime.futex(0x9f3a90, 0x0, 0x0, 0x0, 0x0, 0x9f3360, 0x0, 0x0, 0x7ffe2e658080, 
0x40ff52, ...)
/lxd/build/tmp.qQKnZ6Eutl/go/golang/src/runtime/sys_linux_amd64.s:387 
+0x21

[lxc-devel] [lxd/master] mkdir -p on file push

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2291

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #2290

Signed-off-by: Tycho Andersen 
From fa2ecdf1c528f26809ba203cf4041c162ccba001 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 17 Aug 2016 09:11:48 -0600
Subject: [PATCH] mkdir -p on file push

Closes #2290

Signed-off-by: Tycho Andersen 
---
 lxd/nsexec.go| 12 
 test/suites/basic.sh |  6 ++
 2 files changed, 18 insertions(+)

diff --git a/lxd/nsexec.go b/lxd/nsexec.go
index 30e2d1a..95bfe08 100644
--- a/lxd/nsexec.go
+++ b/lxd/nsexec.go
@@ -162,6 +162,18 @@ int manip_file_in_ns(char *rootfs, int pid, char *host, 
char *container, bool is
if (is_put && stat(container, ) < 0)
exists = 0;
 
+   if (is_put) {
+   char *pos = strrchr(container, '/');
+   if (pos) {
+   *pos = 0;
+   if (mkdir_p(container, 0755) < 0) {
+   error("failed to mkdir -p");
+   goto close_host;
+   }
+   *pos = '/';
+   }
+   }
+
umask(0);
container_fd = open(container, container_open_flags, 0);
if (container_fd < 0) {
diff --git a/test/suites/basic.sh b/test/suites/basic.sh
index e2696f7..1a92050 100644
--- a/test/suites/basic.sh
+++ b/test/suites/basic.sh
@@ -232,6 +232,12 @@ test_basic_usage() {
   lxc list | grep foo | grep RUNNING
   lxc stop foo --force  # stop is hanging
 
+  # check that we can put files in nonexistent directories in stopped
+  # containers
+  lxc file push /etc/hosts foo/mkdir/p/this/dir/hosts
+  lxc file pull foo/mkdir/p/this/dir/hosts "$TEST_DIR"/hosts
+  diff "$TEST_DIR"/hosts /etc/hosts
+
   # cycle it a few times
   lxc start foo
   mac1=$(lxc exec foo cat /sys/class/net/eth0/address)
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] propagate the host's TERM to shell sessions

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2289

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #2288

Signed-off-by: Tycho Andersen 
From 0472ec00ec37cdc8ef4ebf9ea4ecc756624d4222 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 17 Aug 2016 08:27:26 -0600
Subject: [PATCH] propagate the host's TERM to shell sessions

Closes #2288

Signed-off-by: Tycho Andersen 
---
 lxc/exec.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxc/exec.go b/lxc/exec.go
index 87427ed..e603ea3 100644
--- a/lxc/exec.go
+++ b/lxc/exec.go
@@ -95,7 +95,7 @@ func (c *execCmd) run(config *lxd.Config, args []string) 
error {
return err
}
 
-   env := map[string]string{"HOME": "/root", "USER": "root"}
+   env := map[string]string{"HOME": "/root", "USER": "root", "TERM": 
os.Getenv("TERM")}
myEnv := os.Environ()
for _, ent := range myEnv {
if strings.HasPrefix(ent, "TERM=") {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] relax constraints on WebsocketRecvStream args

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2265

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We don't use the Close method any more, so let's make these Writers, not
WriteClosers.

Signed-off-by: Tycho Andersen 
From 682d9fba03a7967b6c3048de93530f9d766699a9 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 4 Aug 2016 21:58:53 +
Subject: [PATCH] relax constraints on WebsocketRecvStream args

We don't use the Close method any more, so let's make these Writers, not
WriteClosers.

Signed-off-by: Tycho Andersen 
---
 shared/network.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/network.go b/shared/network.go
index 7032348..8689880 100644
--- a/shared/network.go
+++ b/shared/network.go
@@ -180,10 +180,10 @@ func WebsocketSendStream(conn *websocket.Conn, r 
io.Reader, bufferSize int) chan
return ch
 }
 
-func WebsocketRecvStream(w io.WriteCloser, conn *websocket.Conn) chan bool {
+func WebsocketRecvStream(w io.Writer, conn *websocket.Conn) chan bool {
ch := make(chan bool)
 
-   go func(w io.WriteCloser, conn *websocket.Conn) {
+   go func(w io.Writer, conn *websocket.Conn) {
for {
mt, r, err := conn.NextReader()
if mt == websocket.CloseMessage {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] add some reasonable defaults to `lxd init`

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2264

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This also adds some validation: namely that ip addresses are valid and that
any block device specified as a ZFS pool is indeed an actual block device.

Closes #1933

Signed-off-by: Tycho Andersen 
From 0e2bc7a45db13073f855914dd6b0d33f3e3f24e2 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 4 Aug 2016 14:19:11 -0600
Subject: [PATCH] add some reasonable defaults to `lxd init`

This also adds some validation: namely that ip addresses are valid and that
any block device specified as a ZFS pool is indeed an actual block device.

Closes #1933

Signed-off-by: Tycho Andersen 
---
 lxd/main.go | 62 ++---
 1 file changed, 47 insertions(+), 15 deletions(-)

diff --git a/lxd/main.go b/lxd/main.go
index 5749177..d022013 100644
--- a/lxd/main.go
+++ b/lxd/main.go
@@ -621,11 +621,14 @@ func cmdInit() error {
 
reader := bufio.NewReader(os.Stdin)
 
-   askBool := func(question string) bool {
+   askBool := func(question string, default_ string) bool {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
+   if input == "" {
+   input = default_
+   }
if shared.StringInSlice(strings.ToLower(input), 
[]string{"yes", "y"}) {
return true
} else if shared.StringInSlice(strings.ToLower(input), 
[]string{"no", "n"}) {
@@ -636,11 +639,14 @@ func cmdInit() error {
}
}
 
-   askChoice := func(question string, choices []string) string {
+   askChoice := func(question string, choices []string, default_ string) 
string {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
+   if input == "" {
+   input = default_
+   }
if shared.StringInSlice(input, choices) {
return input
}
@@ -649,11 +655,14 @@ func cmdInit() error {
}
}
 
-   askInt := func(question string, min int64, max int64) int64 {
+   askInt := func(question string, min int64, max int64, default_ string) 
int64 {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
+   if input == "" {
+   input = default_
+   }
intInput, err := strconv.ParseInt(input, 10, 64)
 
if err == nil && (min == -1 || intInput >= min) && (max 
== -1 || intInput <= max) {
@@ -664,11 +673,21 @@ func cmdInit() error {
}
}
 
-   askString := func(question string) string {
+   askString := func(question string, default_ string, validate 
func(string) string) string {
for {
fmt.Printf(question)
input, _ := reader.ReadString('\n')
input = strings.TrimSuffix(input, "\n")
+   if input == "" {
+   input = default_
+   }
+   if validate != nil {
+   result := validate(input)
+   if result != "" {
+   fmt.Printf("Invalid input: %s\n\n", 
result)
+   continue
+   }
+   }
if len(input) != 0 {
return input
}
@@ -780,7 +799,7 @@ func cmdInit() error {
return fmt.Errorf("Init configuration is only valid 
with --auto")
}
 
-   storageBackend = askChoice("Name of the storage backend to use 
(dir or zfs): ", backendsSupported)
+   storageBackend = askChoice("Name of the storage backend to use 
(dir or zfs) [default=zfs]: ", backendsSupported, "zfs")
 
if !shared.StringInSlice(storageBackend, backendsSupported) {
return fmt.Errorf("The requested backend '%s' isn't 
supported by lxd init.", storageBackend)
@@ -791,17 +810,23 @@ 

[lxc-devel] [lxd/master] initial implementation of the "usb" device type

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2261

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
I've tested all the cases I can think of (hotplug the actual device,
hotplug the container config, and cold container start/stop), but I'm not
really sure how to add any automated tests for this, since there's no real
way to ensure USB devices will be available.

Closes #2241

Signed-off-by: Tycho Andersen 
From e9a4c9f610fac2f11d5b34fade2d42a256bec3fc Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 2 Aug 2016 13:05:12 -0600
Subject: [PATCH] initial implementation of the "usb" device type

I've tested all the cases I can think of (hotplug the actual device,
hotplug the container config, and cold container start/stop), but I'm not
really sure how to add any automated tests for this, since there's no real
way to ensure USB devices will be available.

Closes #2241

Signed-off-by: Tycho Andersen 
---
 doc/configuration.md |  14 +++
 lxd/api_1.0.go   |   1 +
 lxd/container.go |  21 -
 lxd/container_lxc.go |  88 +++
 lxd/db_devices.go|   4 +
 lxd/devices.go   | 238 +--
 6 files changed, 358 insertions(+), 8 deletions(-)

diff --git a/doc/configuration.md b/doc/configuration.md
index 35d4647..3a56f93 100644
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -256,6 +256,20 @@ uid | int   | 0 | no| 
UID of the device owne
 gid | int   | 0 | no| GID of the device 
owner in the container
 mode| int   | 0660  | no| Mode of the device 
in the container
 
+### Type: usb
+USB device entries simply make the requested USB device appear in the
+container.
+
+The following properties exist:
+
+Key | Type  | Default   | Required  | Description
+:-- | :--   | :--   | :--   | :--
+productid   | string| - | yes   | The product id of 
the USB device.
+vendorid| string| - | no| The vendor id of the 
USB device.
+uid | int   | 0 | no| UID of the device 
owner in the container
+gid | int   | 0 | no| GID of the device 
owner in the container
+mode| int   | 0660  | no| Mode of the device 
in the container
+
 ## Profiles
 Profiles can store any configuration that a container can (key/value or 
devices)
 and any number of profiles can be applied to a container.
diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index c02d810..5d6a141 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -62,6 +62,7 @@ func api10Get(d *Daemon, r *http.Request) Response {
"container_last_used_at",
"etag",
"patch",
+   "usb_devices",
},
 
"api_status":  "stable",
diff --git a/lxd/container.go b/lxd/container.go
index a602ce1..04932db 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -128,6 +128,21 @@ func containerValidDeviceConfigKey(t, k string) bool {
default:
return false
}
+   case "usb":
+   switch k {
+   case "vendorid":
+   return true
+   case "productid":
+   return true
+   case "mode":
+   return true
+   case "gid":
+   return true
+   case "uid":
+   return true
+   default:
+   return false
+   }
case "none":
return false
default:
@@ -180,7 +195,7 @@ func containerValidDevices(devices shared.Devices, profile 
bool, expanded bool)
return fmt.Errorf("Missing device type for device 
'%s'", name)
}
 
-   if !shared.StringInSlice(m["type"], []string{"none", "nic", 
"disk", "unix-char", "unix-block"}) {
+   if !shared.StringInSlice(m["type"], []string{"none", "nic", 
"disk", "unix-char", "unix-block", "usb"}) {
return fmt.Errorf("Invalid device type for device 
'%s'", name)
}
 
@@ -226,6 +241,10 @@ func containerValidDevices(devices shared.Devices, profile 
bool, expanded bool)
if m["path"] == "" {
return fmt.Errorf("Unix device entry is missing 
the required \"path\" property.")
}
+   } else if m["type"] == "usb" {
+   if 

[lxc-devel] [lxd/master] actually handle containers list error

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2259

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From bfeaf76a039ff273bb3660ad321b6babf1da7c77 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 2 Aug 2016 17:30:28 -0600
Subject: [PATCH] actually handle containers list error

Signed-off-by: Tycho Andersen 
---
 lxd/devices.go | 4 
 1 file changed, 4 insertions(+)

diff --git a/lxd/devices.go b/lxd/devices.go
index 529450d..ddbcc63 100644
--- a/lxd/devices.go
+++ b/lxd/devices.go
@@ -203,6 +203,10 @@ func deviceTaskBalance(d *Daemon) {
 
// Iterate through the containers
containers, err := dbContainersList(d.db, cTypeRegular)
+   if err != nil {
+   shared.Log.Error("problem loading containers list", 
log.Ctx{"err": err})
+   return
+   }
fixedContainers := map[int][]container{}
balancedContainers := map[container]int{}
for _, name := range containers {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] remove unused "name" argument from {create, remove}UnixDevice

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2258

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 1a532c736334975cdac6826068c149de4967bd12 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 2 Aug 2016 13:06:45 -0600
Subject: [PATCH] remove unused "name" argument from {create,remove}UnixDevice

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index ed85235..81aaf65 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1084,7 +1084,7 @@ func (c *containerLXC) startCommon() (string, error) {
for k, m := range c.expandedDevices {
if shared.StringInSlice(m["type"], []string{"unix-char", 
"unix-block"}) {
// Unix device
-   devPath, err := c.createUnixDevice(k, m)
+   devPath, err := c.createUnixDevice(m)
if err != nil {
return "", err
}
@@ -2425,7 +2425,7 @@ func (c *containerLXC) Update(args containerArgs, 
userRequested bool) error {
// Live update the devices
for k, m := range removeDevices {
if shared.StringInSlice(m["type"], 
[]string{"unix-char", "unix-block"}) {
-   err = c.removeUnixDevice(k, m)
+   err = c.removeUnixDevice(m)
if err != nil {
return err
}
@@ -3542,7 +3542,7 @@ func (c *containerLXC) removeMount(mount string) error {
 }
 
 // Unix devices handling
-func (c *containerLXC) createUnixDevice(name string, m shared.Device) (string, 
error) {
+func (c *containerLXC) createUnixDevice(m shared.Device) (string, error) {
var err error
var major, minor int
 
@@ -3654,7 +3654,7 @@ func (c *containerLXC) insertUnixDevice(name string, m 
shared.Device) error {
}
 
// Create the device on the host
-   devPath, err := c.createUnixDevice(name, m)
+   devPath, err := c.createUnixDevice(m)
if err != nil {
return fmt.Errorf("Failed to setup device: %s", err)
}
@@ -3679,7 +3679,7 @@ func (c *containerLXC) insertUnixDevice(name string, m 
shared.Device) error {
return nil
 }
 
-func (c *containerLXC) removeUnixDevice(name string, m shared.Device) error {
+func (c *containerLXC) removeUnixDevice(m shared.Device) error {
// Check that the container is running
pid := c.InitPID()
if pid == -1 {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] add /dev/net/tun and /dev/fuse to docs

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2257

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
we supply these devices now, so let's document it

Signed-off-by: Tycho Andersen 
From 4c3a60b51069c2ad0fdd645550ebf83c287c533c Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 2 Aug 2016 08:58:00 -0600
Subject: [PATCH] add /dev/net/tun and /dev/fuse to docs

we supply these devices now, so let's document it

Signed-off-by: Tycho Andersen 
---
 doc/configuration.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/configuration.md b/doc/configuration.md
index 5047daf..35d4647 100644
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -143,6 +143,8 @@ Those includes:
  - /dev/tty (character device)
  - /dev/random (character device)
  - /dev/urandom (character device)
+ - /dev/net/tun (character device)
+ - /dev/fuse (character device)
  - lo (network interface)
 
 Anything else has to be defined in the container configuration or in one
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] remember the return code in the non wait-for-websocket case

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2253

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #2243

Signed-off-by: Tycho Andersen 
From dec46251f3c22d59156d4d74d358c1bbeca9e60a Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 1 Aug 2016 12:30:54 -0600
Subject: [PATCH] remember the return code in the non wait-for-websocket case

Closes #2243

Signed-off-by: Tycho Andersen 
---
 lxd/container_exec.go | 9 -
 test/suites/basic.sh  | 4 
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/lxd/container_exec.go b/lxd/container_exec.go
index 71aee79..57b310b 100644
--- a/lxd/container_exec.go
+++ b/lxd/container_exec.go
@@ -14,6 +14,8 @@ import (
"github.com/gorilla/websocket"
 
"github.com/lxc/lxd/shared"
+
+   log "gopkg.in/inconshreveable/log15.v2"
 )
 
 type commandPostContent struct {
@@ -329,7 +331,12 @@ func containerExecPost(d *Daemon, r *http.Request) 
Response {
}
defer nullDev.Close()
 
-   _, cmdErr := c.Exec(post.Command, env, nil, nil, nil)
+   cmdResult, cmdErr := c.Exec(post.Command, env, nil, nil, nil)
+   metadata := shared.Jmap{"return": cmdResult}
+   err = op.UpdateMetadata(metadata)
+   if err != nil {
+   shared.Log.Error("error updating metadata for cmd", 
log.Ctx{"err": err, "cmd": post.Command})
+   }
return cmdErr
}
 
diff --git a/test/suites/basic.sh b/test/suites/basic.sh
index b45ef7b..dcbfe21 100644
--- a/test/suites/basic.sh
+++ b/test/suites/basic.sh
@@ -259,6 +259,10 @@ test_basic_usage() {
   lxc exec --env BEST_BAND=meshuggah foo env | grep meshuggah
   lxc exec foo ip link show | grep eth0
 
+  # check that we can get the return code for a non- wait-for-websocket exec
+  op=$(my_curl -X POST "https://${LXD_ADDR}/1.0/containers/foo/exec; -d 
'{"command": ["sleep", "1"], "environment": {}, "wait-for-websocket": false, 
"interactive": false}' | jq -r .operation)
+  [ "$(my_curl "https://${LXD_ADDR}${op}/wait; | jq -r 
.metadata.metadata.return)" != "null" ]
+
   # test file transfer
   echo abc > "${LXD_DIR}/in"
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] list: fix concurrent read/write

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2214

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
We can't concurrently write, but we can't concurrently read either, so let's
extend the lock duration.

Closes #2183

fatal error: concurrent map read and map write

goroutine 1 [running]:
runtime.throw(0x9cd180, 0x21)
	/usr/lib/go-1.6/src/runtime/panic.go:530 +0x90 fp=0xc8200f0fa8 sp=0xc8200f0f90
runtime.mapaccess2_faststr(0x808280, 0xc8201db140, 0xc8201b43d0, 0xb, 0x0, 0xdbf920)
	/usr/lib/go-1.6/src/runtime/hashmap_fast.go:307 +0x5b fp=0xc8200f1008 sp=0xc8200f0fa8
main.(*listCmd).listContainers(0xc82000be30, 0xc8200d0700, 0xc8201e, 0x32, 0x50, 0xc820011a50, 0x1, 0x1, 0xc82008ff00, 0x3, ...)
	/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/list.go:254 +0x651 fp=0xc8200f1750 sp=0xc8200f1008
main.(*listCmd).run(0xc82000be30, 0xc8200f2030, 0x0, 0x0, 0x0, 0x0, 0x0)
	/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/list.go:401 +0x1324 fp=0xc8200f1ae8 sp=0xc8200f1750
main.run(0x0, 0x0)
	/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/main.go:151 +0x1098 fp=0xc8200f1df0 sp=0xc8200f1ae8
main.main()
	/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/main.go:23 +0x3a fp=0xc8200f1f40 sp=0xc8200f1df0
runtime.main()
	/usr/lib/go-1.6/src/runtime/proc.go:188 +0x2b0 fp=0xc8200f1f90 sp=0xc8200f1f40
runtime.goexit()
	/usr/lib/go-1.6/src/runtime/asm_amd64.s:1998 +0x1 fp=0xc8200f1f98 sp=0xc8200f1f90

Signed-off-by: Tycho Andersen 
From 7d755a934690734f17d3c7eb661e190d0d06a7ec Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 19 Jul 2016 09:25:50 -0600
Subject: [PATCH] list: fix concurrent read/write

We can't concurrently write, but we can't concurrently read either, so let's
extend the lock duration.

Closes #2183

fatal error: concurrent map read and map write

goroutine 1 [running]:
runtime.throw(0x9cd180, 0x21)
/usr/lib/go-1.6/src/runtime/panic.go:530 +0x90 fp=0xc8200f0fa8 
sp=0xc8200f0f90
runtime.mapaccess2_faststr(0x808280, 0xc8201db140, 0xc8201b43d0, 0xb, 0x0, 
0xdbf920)
/usr/lib/go-1.6/src/runtime/hashmap_fast.go:307 +0x5b fp=0xc8200f1008 
sp=0xc8200f0fa8
main.(*listCmd).listContainers(0xc82000be30, 0xc8200d0700, 0xc8201e, 0x32, 
0x50, 0xc820011a50, 0x1, 0x1, 0xc82008ff00, 0x3, ...)

/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/list.go:254
 +0x651 fp=0xc8200f1750 sp=0xc8200f1008
main.(*listCmd).run(0xc82000be30, 0xc8200f2030, 0x0, 0x0, 0x0, 0x0, 0x0)

/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/list.go:401
 +0x1324 fp=0xc8200f1ae8 sp=0xc8200f1750
main.run(0x0, 0x0)

/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/main.go:151
 +0x1098 fp=0xc8200f1df0 sp=0xc8200f1ae8
main.main()

/build/lxd-ma7bPQ/lxd-2.0.2/obj-x86_64-linux-gnu/src/github.com/lxc/lxd/lxc/main.go:23
 +0x3a fp=0xc8200f1f40 sp=0xc8200f1df0
runtime.main()
/usr/lib/go-1.6/src/runtime/proc.go:188 +0x2b0 fp=0xc8200f1f90 
sp=0xc8200f1f40
runtime.goexit()
/usr/lib/go-1.6/src/runtime/asm_amd64.s:1998 +0x1 fp=0xc8200f1f98 
sp=0xc8200f1f90

Signed-off-by: Tycho Andersen 
---
 lxc/list.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxc/list.go b/lxc/list.go
index a4863c3..b8fbffa 100644
--- a/lxc/list.go
+++ b/lxc/list.go
@@ -283,12 +283,12 @@ func (c *listCmd) listContainers(d *lxd.Client, cinfos 
[]shared.ContainerInfo, f
for _, cInfo := range cinfos {
for _, column := range columns {
if column.NeedsState && cInfo.IsActive() {
+   cStatesLock.Lock()
_, ok := cStates[cInfo.Name]
if ok {
continue
}
 
-   cStatesLock.Lock()
cStates[cInfo.Name] = nil
cStatesLock.Unlock()
 
@@ -296,12 +296,12 @@ func (c *listCmd) listContainers(d *lxd.Client, cinfos 
[]shared.ContainerInfo, f
}
 
if column.NeedsSnapshots {
+   cSnapshotsLock.Lock()
_, ok := cSnapshots[cInfo.Name]
if ok {
continue
}
 
-   cSnapshotsLock.Lock()
cSnapshots[cInfo.Name] = nil
cSnapshotsLock.Unlock()
 

[lxc-devel] [lxd/master] better errors when sanity checking devices

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2202

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
let's always include the path, so it's obvious which device is broken.

Signed-off-by: Tycho Andersen 
From 0f708ae6e2e04ff5b1beb399bf41c7b6f9a192b3 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 12 Jul 2016 12:33:32 -0600
Subject: [PATCH] better errors when sanity checking devices

let's always include the path, so it's obvious which device is broken.

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 7cde497..5d1503b 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -3536,10 +3536,10 @@ func (c *containerLXC) createUnixDevice(name string, m 
shared.Device) (string, e
// If no major and minor are set, use those from the device on 
the host
_, major, minor, err = deviceGetAttributes(srcPath)
if err != nil {
-   return "", fmt.Errorf("Failed to get device attributes: 
%s", err)
+   return "", fmt.Errorf("Failed to get device attributes 
for %s: %s", m["path"], err)
}
} else if m["major"] == "" || m["minor"] == "" {
-   return "", fmt.Errorf("Both major and minor must be supplied 
for devices")
+   return "", fmt.Errorf("Both major and minor must be supplied 
for device: %s", m["path"])
} else {
major, err = strconv.Atoi(m["major"])
if err != nil {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] don't fail db upgrade if $LXD_DIR/containers doesn't exist

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2199

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
The user may not have actually started LXD or imported any containers, so
let's not fail in this case.

Launchpad #1602025

Signed-off-by: Tycho Andersen 
From c3c749cb78fe2c13a12decec9eb7fd68aac0 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 12 Jul 2016 08:38:31 -0600
Subject: [PATCH] don't fail db upgrade if $LXD_DIR/containers doesn't exist

The user may not have actually started LXD or imported any containers, so
let's not fail in this case.

Launchpad #1602025

Signed-off-by: Tycho Andersen 
---
 lxd/db_update.go | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/lxd/db_update.go b/lxd/db_update.go
index db5c913..b3c6894 100644
--- a/lxd/db_update.go
+++ b/lxd/db_update.go
@@ -136,6 +136,13 @@ func dbUpdateFromV30(currentVersion int, version int, d 
*Daemon) error {
 
entries, err := ioutil.ReadDir(shared.VarPath("containers"))
if err != nil {
+   /* If the directory didn't exist before, the user had never
+* started containers, so we don't need to fix up permissions
+* on anything.
+*/
+   if os.IsNotExist(err) {
+   return nil
+   }
return err
}
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Resume dump on failed restore

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2191

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From bde987ddbf167f5e848d001b4e28d828d6b093b9 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 7 Jul 2016 22:28:32 +
Subject: [PATCH 1/2] make client.websocket a public API

We'll use this in the next patch.

Signed-off-by: Tycho Andersen 
---
 client.go | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/client.go b/client.go
index 3567127..3e0d791 100644
--- a/client.go
+++ b/client.go
@@ -482,7 +482,7 @@ func (c *Client) delete(base string, args interface{}, 
rtype ResponseType) (*Res
return HoistResponse(resp, rtype)
 }
 
-func (c *Client) websocket(operation string, secret string) (*websocket.Conn, 
error) {
+func (c *Client) Websocket(operation string, secret string) (*websocket.Conn, 
error) {
query := url.Values{"secret": []string{secret}}
url := c.BaseWSURL + path.Join(operation, "websocket") + "?" + 
query.Encode()
return WebsocketDial(c.websocketDialer, url)
@@ -1513,7 +1513,7 @@ func (c *Client) Exec(name string, cmd []string, env 
map[string]string,
if controlHandler != nil {
var control *websocket.Conn
if wsControl, ok := fds["control"]; ok {
-   control, err = c.websocket(resp.Operation, 
wsControl.(string))
+   control, err = c.Websocket(resp.Operation, 
wsControl.(string))
if err != nil {
return -1, err
}
@@ -1522,7 +1522,7 @@ func (c *Client) Exec(name string, cmd []string, env 
map[string]string,
go controlHandler(c, control)
}
 
-   conn, err := c.websocket(resp.Operation, fds["0"].(string))
+   conn, err := c.Websocket(resp.Operation, fds["0"].(string))
if err != nil {
return -1, err
}
@@ -1535,7 +1535,7 @@ func (c *Client) Exec(name string, cmd []string, env 
map[string]string,
conns := make([]*websocket.Conn, 3)
dones := make([]chan bool, 3)
 
-   conns[0], err = c.websocket(resp.Operation, 
fds[strconv.Itoa(0)].(string))
+   conns[0], err = c.Websocket(resp.Operation, 
fds[strconv.Itoa(0)].(string))
if err != nil {
return -1, err
}
@@ -1545,7 +1545,7 @@ func (c *Client) Exec(name string, cmd []string, env 
map[string]string,
 
outputs := []io.WriteCloser{stdout, stderr}
for i := 1; i < 3; i++ {
-   conns[i], err = c.websocket(resp.Operation, 
fds[strconv.Itoa(i)].(string))
+   conns[i], err = c.Websocket(resp.Operation, 
fds[strconv.Itoa(i)].(string))
if err != nil {
return -1, err
}

From b8078bc35703bdf09062adfc3491bbc70ba2aa14 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 7 Jul 2016 02:35:44 +
Subject: [PATCH 2/2] resume dumped container on failed restore

This commit implements "freezing" the dumped container until we are sure
that the restore was successful. Because of various issues (namely, TCP
socket repair mode and windowing, but also various other problems), we
can't simply implement some kind of --leave-frozen option in CRIU.

Instead, we have CRIU do a callback when the dump is done but the container
is still frozen, so that we can then try the restore and see if is succeds.

Signed-off-by: Tycho Andersen 
---
 lxd/container.go |   7 +++-
 lxd/container_lxc.go |  14 +--
 lxd/main.go  |  23 +++
 lxd/migrate.go   | 115 ---
 4 files changed, 147 insertions(+), 12 deletions(-)

diff --git a/lxd/container.go b/lxd/container.go
index dd1038c..8242de7 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -271,7 +271,10 @@ type container interface {
 
// Snapshots & migration
Restore(sourceContainer container) error
-   Migrate(cmd uint, stateDir string, function string, stop bool) error
+   /* actionScript here is a script called action.sh in the stateDir, to
+* be passed to CRIU as --action-script
+*/
+   Migrate(cmd uint, stateDir string, function string, stop bool, 
actionScript bool) error
Snapshots() ([]container, error)
 
// Config handling
@@ -457,7 +460,7 @@ func containerCreateAsSnapshot(d *Daemon, args 
containerArgs, sourceContainer co
 * after snapshotting will fail.
   

[lxc-devel] [go-lxc/v2] add support for liblxc's new action_script member in migrate_opts

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/go-lxc/pull/63

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
```
17:18:02 stgraber | yeah, no problem pulling that in 2.0.4
```
From 0c025de58fa8b54f9afaa6a494731a2fffce5503 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Jul 2016 23:50:47 +
Subject: [PATCH 1/2] actually send the predump dir through

In particular s/:=/=/

Also drop unneeded initialization.

Signed-off-by: Tycho Andersen 
---
 container.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/container.go b/container.go
index d8d0a93..dcf37b2 100644
--- a/container.go
+++ b/container.go
@@ -1502,10 +1502,9 @@ func (c *Container) Migrate(cmd uint, opts 
MigrateOptions) error {
defer C.free(unsafe.Pointer(cdirectory))
 
var cpredumpdir *C.char
-   cpredumpdir = nil
 
if opts.PredumpDir != "" {
-   cpredumpdir := C.CString(opts.PredumpDir)
+   cpredumpdir = C.CString(opts.PredumpDir)
defer C.free(unsafe.Pointer(cpredumpdir))
}
 

From 658520b0f87e54b37ce19683784c0fecaaf942e7 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Jul 2016 23:58:07 +
Subject: [PATCH 2/2] c/r: add support for liblxc's action_script

Signed-off-by: Tycho Andersen 
---
 container.go  | 7 +++
 lxc-binding.c | 4 
 lxc-binding.h | 1 +
 options.go| 1 +
 4 files changed, 13 insertions(+)

diff --git a/container.go b/container.go
index dcf37b2..5d253f8 100644
--- a/container.go
+++ b/container.go
@@ -1518,8 +1518,15 @@ func (c *Container) Migrate(cmd uint, opts 
MigrateOptions) error {
predump_dir: cpredumpdir,
}
 
+   var cActionScript *C.char
+   if opts.ActionScript != "" {
+   cActionScript = C.CString(opts.ActionScript)
+   defer C.free(unsafe.Pointer(cActionScript))
+   }
+
extras := C.struct_extra_migrate_opts{
preserves_inodes: C.bool(opts.PreservesInodes),
+   action_script:cActionScript,
}
 
ret := C.int(C.go_lxc_migrate(c.container, C.uint(cmd), , 
))
diff --git a/lxc-binding.c b/lxc-binding.c
index 90ba45c..7712d8e 100644
--- a/lxc-binding.c
+++ b/lxc-binding.c
@@ -366,6 +366,10 @@ bool go_lxc_restore(struct lxc_container *c, char 
*directory, bool verbose) {
 }
 
 int go_lxc_migrate(struct lxc_container *c, unsigned int cmd, struct 
migrate_opts *opts, struct extra_migrate_opts *extras) {
+#if VERSION_AT_LEAST(2, 0, 4)
+   opts->action_script = extras->action_script;
+#endif
+
 #if VERSION_AT_LEAST(2, 0, 1)
opts->preserves_inodes = extras->preserves_inodes;
 #endif
diff --git a/lxc-binding.h b/lxc-binding.h
index e114494..da046f0 100644
--- a/lxc-binding.h
+++ b/lxc-binding.h
@@ -87,6 +87,7 @@ struct migrate_opts {
  */
 struct extra_migrate_opts {
bool preserves_inodes;
+   char *action_script;
 };
 int go_lxc_migrate(struct lxc_container *c, unsigned int cmd, struct 
migrate_opts *opts, struct extra_migrate_opts *extras);
 
diff --git a/options.go b/options.go
index 030c35f..47dc392 100644
--- a/options.go
+++ b/options.go
@@ -194,4 +194,5 @@ type MigrateOptions struct {
Stopbool
PredumpDir  string
PreservesInodes bool
+   ActionScriptstring
 }
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/master] c/r: add support for CRIU's --action-script

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1075

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From b9ee6643cba207223a035f822d3fabd3eb2c8370 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Jul 2016 23:45:15 +
Subject: [PATCH] c/r: add support for CRIU's --action-script

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 8 
 src/lxc/lxccontainer.h | 5 +
 2 files changed, 13 insertions(+)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index a1b7d40..94b9ce4 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -185,6 +185,9 @@ static void exec_criu(struct criu_opts *opts)
if (opts->user->verbose)
static_args++;
 
+   if (opts->user->action_script)
+   static_args += 2;
+
ret = snprintf(log, PATH_MAX, "%s/%s.log", opts->user->directory, 
opts->action);
if (ret < 0 || ret >= PATH_MAX) {
ERROR("logfile name too long\n");
@@ -235,6 +238,11 @@ static void exec_criu(struct criu_opts *opts)
if (opts->user->verbose)
DECLARE_ARG("-vv");
 
+   if (opts->user->action_script) {
+   DECLARE_ARG("--action-script");
+   DECLARE_ARG(opts->user->action_script);
+   }
+
if (strcmp(opts->action, "dump") == 0 || strcmp(opts->action, 
"pre-dump") == 0) {
char pid[32], *freezer_relative;
 
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index ecc66e2..bde4912 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -891,6 +891,11 @@ struct migrate_opts {
 * won't if e.g. you rsync the filesystems between two machines.
 */
bool preserves_inodes;
+
+   /* Path to an executable script that will be registered as a criu
+* "action script"
+*/
+   char *action_script;
 };
 
 /*!
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] migration: fix tempdir handling

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2184

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
If we fail to create the tempdir, we don't need to delete it. We *do*
however, need to inform the main thread that the restore failed.

Signed-off-by: Tycho Andersen 
From 1b37603248f27b852464d6cec059b5aba9ad5459 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 7 Jul 2016 14:59:25 +
Subject: [PATCH] migration: fix tempdir handling

If we fail to create the tempdir, we don't need to delete it. We *do*
however, need to inform the main thread that the restore failed.

Signed-off-by: Tycho Andersen 
---
 lxd/migrate.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/migrate.go b/lxd/migrate.go
index 3ea1a76..14e9c00 100644
--- a/lxd/migrate.go
+++ b/lxd/migrate.go
@@ -540,7 +540,7 @@ func (c *migrationSink) do() error {
var err error
imagesDir, err = ioutil.TempDir("", "lxd_restore_")
if err != nil {
-   os.RemoveAll(imagesDir)
+   restore <- err
return
}
 
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Improve pause help

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2181

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From dd70184330e3e70bab36363bfe40177ce5b7d56f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Jul 2016 15:35:51 -0600
Subject: [PATCH 1/2] use named args for actionCmds

We'll take advantage of this in the next patch making the diff much
shorter.

Signed-off-by: Tycho Andersen 
---
 lxc/main.go | 55 +--
 1 file changed, 37 insertions(+), 18 deletions(-)

diff --git a/lxc/main.go b/lxc/main.go
index ff8b085..fc2da81 100644
--- a/lxc/main.go
+++ b/lxc/main.go
@@ -155,29 +155,48 @@ type command interface {
 }
 
 var commands = map[string]command{
-   "config":   {},
-   "copy": {},
-   "delete":   {},
-   "exec": {},
-   "file": {},
-   "finger":   {},
-   "help": {},
-   "image":{},
-   "info": {},
-   "init": {},
-   "launch":   {},
-   "list": {},
-   "monitor":  {},
-   "move": {},
-   "pause":{shared.Freeze, false, false, "pause", -1, false, 
false, false},
+   "config":  {},
+   "copy":{},
+   "delete":  {},
+   "exec":{},
+   "file":{},
+   "finger":  {},
+   "help":{},
+   "image":   {},
+   "info":{},
+   "init":{},
+   "launch":  {},
+   "list":{},
+   "monitor": {},
+   "move":{},
+   "pause": {
+   action:  shared.Freeze,
+   name:"pause",
+   },
"profile":  {},
"publish":  {},
"remote":   {},
-   "restart":  {shared.Restart, true, true, "restart", -1, 
false, false, false},
+   "restart":  {
+   action: shared.Restart,
+   hasTimeout: true,
+   visible: true,
+   name: "restart",
+   timeout: -1,
+   },
"restore":  {},
"snapshot": {},
-   "start":{shared.Start, false, true, "start", -1, false, 
false, false},
-   "stop": {shared.Stop, true, true, "stop", -1, false, 
false, false},
+   "start":{
+   action: shared.Start,
+   visible: true,
+   name: "start",
+   },
+   "stop": {
+   action: shared.Stop,
+   hasTimeout: true,
+   visible: true,
+   name: "stop",
+   timeout: -1,
+   },
"version":  {},
 }
 

From 27ff38d0a670c867a59cf292d2ee241423ddbee7 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 6 Jul 2016 16:27:09 -0600
Subject: [PATCH 2/2] add some additional help to `lxc pause`

Signed-off-by: Tycho Andersen 
---
 lxc/action.go | 23 ++-
 lxc/main.go   | 39 ---
 2 files changed, 34 insertions(+), 28 deletions(-)

diff --git a/lxc/action.go b/lxc/action.go
index 6858bc9..8fece38 100644
--- a/lxc/action.go
+++ b/lxc/action.go
@@ -10,14 +10,15 @@ import (
 )
 
 type actionCmd struct {
-   action shared.ContainerAction
-   hasTimeout bool
-   visiblebool
-   name   string
-   timeoutint
-   force  bool
-   stateful   bool
-   stateless  bool
+   action shared.ContainerAction
+   hasTimeout bool
+   visiblebool
+   name   string
+   timeoutint
+   force  bool
+   stateful   bool
+   stateless  bool
+   additionalHelp string
 }
 
 func (c *actionCmd) showByDefault() bool {
@@ -25,10 +26,14 @@ func (c *actionCmd) showByDefault() bool {
 }
 
 func (c *actionCmd) usage() string {
+   if c.additionalHelp != "" {
+   c.additionalHelp = fmt.Sprintf("\n\n%s", c.additionalHelp)
+   }
+
return fmt.Sprintf(i18n.G(
`Changes state of one or more containers to %s.
 
-lxc %s  [...]`), c.name, c.name)
+lxc %s  [...]%s`), c.name, c.name, c.additionalHelp)
 }
 
 func (c *actionCmd) flags() {
diff --git a/lxc/main.go b/lxc/main.go
index fc2da81..4938a0f 100644
--- a/lxc/main.go
+++ b/lxc/main.go
@@ -170,34 +170,35 @@ var commands = map[string]command{
"monitor": {},
"move":{},
"pause": {
-   action:  shared.Freeze,
-   name:"pause",
+   action: shared.Freeze,
+   name:   "pause",
+   additionalHelp: i18n.G("The opposite of `lxc pause` is `lxc 
start`."),
},
-   "profile":  {},
-   "publish":  {},
-   "remote":   {},
-   "restart":  {
-   action: shared.Restart,
+   "profile": 

[lxc-devel] [lxc/master] c/r: use criu's "full" mode for cgroups

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1062

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
A while ago cgroup modes were introduced to CRIU, which slightly changed
the behavior w.r.t. cgroups under the hood. What we're really after is
criu's --full mode, i.e. even if a particular cgroup directory exists
(in particular /lxc/$container[-$number] will, since we create it), we
should restore perms on that cgroup.

Things worked just fine for actual properties (except "special" properties
as criu refers to them, which I've just sent a patch for) because liblxc
creates no subdirectories, just the TLD.

Signed-off-by: Tycho Andersen 
From 0a5fc6dfa772b787b9c06896d348b2137edf0cba Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 27 Jun 2016 22:24:09 +
Subject: [PATCH] c/r: use criu's "full" mode for cgroups

A while ago cgroup modes were introduced to CRIU, which slightly changed
the behavior w.r.t. cgroups under the hood. What we're really after is
criu's --full mode, i.e. even if a particular cgroup directory exists
(in particular /lxc/$container[-$number] will, since we create it), we
should restore perms on that cgroup.

Things worked just fine for actual properties (except "special" properties
as criu refers to them, which I've just sent a patch for) because liblxc
creates no subdirectories, just the TLD.

Signed-off-by: Tycho Andersen 
---
 src/lxc/criu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index ce8ada6..a1b7d40 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -135,7 +135,7 @@ static void exec_criu(struct criu_opts *opts)
 
/* The command line always looks like:
 * criu $(action) --tcp-established --file-locks --link-remap \
-* --manage-cgroups action-script foo.sh -D $(directory) \
+* --manage-cgroups=full action-script foo.sh -D $(directory) \
 * -o $(directory)/$(action).log --ext-mount-map auto
 * --enable-external-sharing --enable-external-masters
 * --enable-fs hugetlbfs --enable-fs tracefs --ext-mount-map 
console:/dev/pts/n
@@ -218,7 +218,7 @@ static void exec_criu(struct criu_opts *opts)
DECLARE_ARG("--tcp-established");
DECLARE_ARG("--file-locks");
DECLARE_ARG("--link-remap");
-   DECLARE_ARG("--manage-cgroups");
+   DECLARE_ARG("--manage-cgroups=full");
DECLARE_ARG("--ext-mount-map");
DECLARE_ARG("auto");
DECLARE_ARG("--enable-external-sharing");
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] improve error message

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2161

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From c718e09fe546fa904462a60755a07148657d3ab3 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Mon, 27 Jun 2016 16:44:32 -0600
Subject: [PATCH] improve error message

Signed-off-by: Tycho Andersen 
---
 lxd/container_lxc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 6fd0ee4..c3f87a3 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -3990,7 +3990,7 @@ func (c *containerLXC) createDiskDevice(name string, m 
shared.Device) (string, e
if isOptional {
return "", nil
}
-   return "", fmt.Errorf("Source path doesn't exist")
+   return "", fmt.Errorf("Source path %s doesn't exist for device 
%s", srcPath, name)
}
 
// Create the devices directory if missing
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] apparmor: create an apparmor namespace for each container

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2151

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Note that this only allows privileged containers to load apparmor profiles, and
only then with something like:

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index fe24ff3..7138249 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,7 +93,7 @@
   mount fstype=sysfs -> /sys/,
   mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
+  # deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,

We'll need to do something with the permissions on
/sys/kernel/security/apparmor to allow unprivileged users to write to it. I'll
be in touch with the security team about that, but for now I don't think this
hurts anything.

Signed-off-by: Tycho Andersen 
From 2f93569e660ded55d554a4a4e6a8065d94835b42 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 17 Jun 2016 17:51:17 +
Subject: [PATCH] apparmor: create an apparmor namespace for each container

Note that this only allows privileged containers to load apparmor profiles, and
only then with something like:

diff --git a/config/apparmor/abstractions/container-base 
b/config/apparmor/abstractions/container-base
index fe24ff3..7138249 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,7 +93,7 @@
   mount fstype=sysfs -> /sys/,
   mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
+  # deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> 
/sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,

We'll need to do something with the permissions on
/sys/kernel/security/apparmor to allow unprivileged users to write to it. I'll
be in touch with the security team about that, but for now I don't think this
hurts anything.

Signed-off-by: Tycho Andersen 
---
 lxd/apparmor.go  | 87 
 lxd/container_lxc.go | 25 +--
 lxd/daemon.go| 11 +++
 test/suites/basic.sh |  5 +--
 4 files changed, 111 insertions(+), 17 deletions(-)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index ce25c50..c2c2327 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -47,6 +47,22 @@ const NESTING_AA_PROFILE = `
   signal,
 `
 
+const DEFAULT_AA_NAMESPACE_PROFILE = `
+#include 
+profile "lxd-default" flags=(attach_disconnected,mediate_deleted) {
+#include 
+
+# Special exception for cgroup namespaces
+%s
+
+# user input raw.apparmor below here
+%s
+
+# nesting support goes here if needed
+%s
+change_profile -> ":%s://*",
+}`
+
 const DEFAULT_AA_PROFILE = `
 #include 
 profile "%s" flags=(attach_disconnected,mediate_deleted) {
@@ -63,17 +79,35 @@ profile "%s" flags=(attach_disconnected,mediate_deleted) {
 change_profile -> "%s",
 }`
 
-func AAProfileFull(c container) string {
-   lxddir := shared.VarPath("")
-   if len(c.Name())+len(lxddir)+7 >= 253 {
+func mkApparmorName(name string) string {
+   if len(name)+7 >= 253 {
hash := sha256.New()
-   io.WriteString(hash, lxddir)
-   lxddir = fmt.Sprintf("%x", hash.Sum(nil))
+   io.WriteString(hash, name)
+   return fmt.Sprintf("%x", hash.Sum(nil))
}
 
+   return name
+}
+
+func AANamespace(c container) string {
+   /* / is not allowed in apparmor namespace names; let's also trim the
+* leading / so it doesn't look like "-var-lib-lxd"
+*/
+   lxddir := strings.Replace(shared.VarPath("")[1:], "/", "-", -1)
+   lxddir = mkApparmorName(lxddir)
return fmt.Sprintf("lxd-%s_<%s>", c.Name(), lxddir)
 }
 
+func AAProfileFull(c container) string {
+   if aaStacking {
+   return fmt.Sprintf(":%s://lxd-default", AANamespace(c))
+   } else {
+   lxddir := shared.VarPath("")
+   lxddir = mkApparmorName(lxddir)
+   return fmt.Sprintf("lxd-%s_<%s>", c.Name(), lxddir)
+   }
+}
+
 func AAProfileShort(c container) string {
return fmt.Sprintf("lxd-%s", c.Name())
 }
@@ -99,7 +133,26 @@ func getAAProfileContent(c container) string {
nesting = NESTING_AA_PROFILE

[lxc-devel] [lxd/master] tests: fix hang

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2148

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
lxc asks about the fingerprint more now, so let's tell it that fingerprint
is okay.

Signed-off-by: Tycho Andersen 
From 74c347fc7885b025ffa801feb0fa235d424f5a9e Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 17 Jun 2016 18:12:46 +
Subject: [PATCH] tests: fix hang

lxc asks about the fingerprint more now, so let's tell it that fingerprint
is okay.

Signed-off-by: Tycho Andersen 
---
 test/main.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/main.sh b/test/main.sh
index 8fb8476..532e7d9 100755
--- a/test/main.sh
+++ b/test/main.sh
@@ -138,7 +138,7 @@ gen_cert() {
   [ -f "${LXD_CONF}/${1}.crt" ] && return
   mv "${LXD_CONF}/client.crt" "${LXD_CONF}/client.crt.bak"
   mv "${LXD_CONF}/client.key" "${LXD_CONF}/client.key.bak"
-  lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true
+  echo y | lxc_remote remote add "$(uuidgen)" https://0.0.0.0 || true
   mv "${LXD_CONF}/client.crt" "${LXD_CONF}/${1}.crt"
   mv "${LXD_CONF}/client.key" "${LXD_CONF}/${1}.key"
   mv "${LXD_CONF}/client.crt.bak" "${LXD_CONF}/client.crt"
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] Apparmor namespaces

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2132

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From cf1e6bddb7adb70365c64f30a298f0a4f68152c2 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Fri, 17 Jun 2016 17:51:17 +
Subject: [PATCH 1/2] apparmor: create an apparmor namespace for each container

Note that this only allows privileged containers to load apparmor profiles, and
only then with something like:

diff --git a/config/apparmor/abstractions/container-base 
b/config/apparmor/abstractions/container-base
index fe24ff3..7138249 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -93,7 +93,7 @@
   mount fstype=sysfs -> /sys/,
   mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
   deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
+  # deny /sys/kernel/security/** rwklx,
   mount options=(move) /sys/fs/cgroup/cgmanager/ -> 
/sys/fs/cgroup/cgmanager.lower/,
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,

We'll need to do something with the permissions on
/sys/kernel/security/apparmor to allow unprivileged users to write to it. I'll
be in touch with the security team about that, but for now I don't think this
hurts anything.

Signed-off-by: Tycho Andersen 
---
 lxd/apparmor.go  | 29 -
 lxd/container_lxc.go |  4 +++-
 test/suites/basic.sh |  5 +++--
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index ce25c50..2dabab9 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -49,7 +49,7 @@ const NESTING_AA_PROFILE = `
 
 const DEFAULT_AA_PROFILE = `
 #include 
-profile "%s" flags=(attach_disconnected,mediate_deleted) {
+profile "lxd-default" flags=(attach_disconnected,mediate_deleted) {
 #include 
 
 # Special exception for cgroup namespaces
@@ -60,11 +60,14 @@ profile "%s" flags=(attach_disconnected,mediate_deleted) {
 
 # nesting support goes here if needed
 %s
-change_profile -> "%s",
+change_profile -> ":%s://*",
 }`
 
-func AAProfileFull(c container) string {
-   lxddir := shared.VarPath("")
+func AANamespace(c container) string {
+   /* / is not allowed in apparmor namespace names; let's also trim the
+* leading / so it doesn't look like "-var-lib-lxd"
+*/
+   lxddir := strings.Replace(shared.VarPath("")[1:], "/", "-", -1)
if len(c.Name())+len(lxddir)+7 >= 253 {
hash := sha256.New()
io.WriteString(hash, lxddir)
@@ -74,6 +77,10 @@ func AAProfileFull(c container) string {
return fmt.Sprintf("lxd-%s_<%s>", c.Name(), lxddir)
 }
 
+func AAProfileFull(c container) string {
+   return fmt.Sprintf(":%s://lxd-default", AANamespace(c))
+}
+
 func AAProfileShort(c container) string {
return fmt.Sprintf("lxd-%s", c.Name())
 }
@@ -99,7 +106,7 @@ func getAAProfileContent(c container) string {
nesting = NESTING_AA_PROFILE
}
 
-   return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileFull(c), 
AAProfileCgns(), rawApparmor, nesting, AAProfileFull(c))
+   return fmt.Sprintf(DEFAULT_AA_PROFILE, AAProfileCgns(), rawApparmor, 
nesting, AANamespace(c))
 }
 
 func runApparmor(command string, c container) error {
@@ -108,6 +115,8 @@ func runApparmor(command string, c container) error {
}
 
cmd := exec.Command("apparmor_parser", []string{
+   "-n",
+   AANamespace(c),
fmt.Sprintf("-%sWL", command),
path.Join(aaPath, "cache"),
path.Join(aaPath, "profiles", AAProfileShort(c)),
@@ -165,14 +174,16 @@ func AALoadProfile(c container) error {
return runApparmor(APPARMOR_CMD_LOAD, c)
 }
 
-// Ensure that the container's policy is unloaded to free kernel memory. This
-// does not delete the policy from disk or cache.
-func AAUnloadProfile(c container) error {
+// Ensure that the container's policy namespace is unloaded to free kernel
+// memory. This does not delete the policy from disk or cache.
+func AADestroyNamespace(c container) error {
if !aaAdmin {
return nil
}
 
-   return runApparmor(APPARMOR_CMD_UNLOAD, c)
+   content := []byte(fmt.Sprintf(":%s:", AANamespace(c)))
+
+   return ioutil.WriteFile("/sys/kernel/security/apparmor/.remove", 
content, 0)
 }
 
 // Parse the profile without loading it into the kernel.
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 24ff128..969ffab 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1423,7 +1423,9 @@ func (c *containerLXC) OnStop(target string) error {
}
 
// Unload the apparmor 

[lxc-devel] [lxd/master] similar to lxc delete, add a -f shortcut to lxc stop

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2128

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Tycho Andersen 
From 3c55598a3a45a1cfea32aebb6eae72b2ba1f4745 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Thu, 16 Jun 2016 08:32:00 -0600
Subject: [PATCH] similar to lxc delete, add a -f shortcut to lxc stop

Signed-off-by: Tycho Andersen 
---
 lxc/action.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lxc/action.go b/lxc/action.go
index 1cf6a13..dfb3044 100644
--- a/lxc/action.go
+++ b/lxc/action.go
@@ -34,6 +34,7 @@ lxc %s  [...]`), c.name, c.name)
 func (c *actionCmd) flags() {
if c.hasTimeout {
gnuflag.IntVar(, "timeout", -1, i18n.G("Time to wait 
for the container before killing it."))
+   gnuflag.BoolVar(, "f", false, i18n.G("Force the 
container to shutdown."))
gnuflag.BoolVar(, "force", false, i18n.G("Force the 
container to shutdown."))
}
gnuflag.BoolVar(, "stateful", false, i18n.G("Store the 
container state (only for stop)."))
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/stable-2.0] Stable 2.0/simplify migration code

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2122

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
cherry picks of a few commits from master
From 26404a098eca76ac1c05cfe2b1acff563d96bc0f Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Wed, 1 Jun 2016 10:40:55 -0600
Subject: [PATCH 1/2] c/r: switch to the new ->migrate API

We'll use this in the next patch to enable use of new liblxc features.

Signed-off-by: Tycho Andersen 
---
 lxd/container.go |  5 ++---
 lxd/container_lxc.go | 14 +-
 lxd/migrate.go   |  3 +--
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/lxd/container.go b/lxd/container.go
index 9c196ca..cf7884f 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -341,7 +341,7 @@ type container interface {
 
// Snapshots & migration
Restore(sourceContainer container) error
-   Checkpoint(opts lxc.CheckpointOptions) error
+   Migrate(cmd uint, stateDir string, stop bool) error
StartFromMigration(imagesDir string) error
Snapshots() ([]container, error)
 
@@ -527,8 +527,7 @@ func containerCreateAsSnapshot(d *Daemon, args 
containerArgs, sourceContainer co
 * after snapshotting will fail.
 */
 
-   opts := lxc.CheckpointOptions{Directory: stateDir, Stop: false, 
Verbose: true}
-   err = sourceContainer.Checkpoint(opts)
+   err = sourceContainer.Migrate(lxc.MIGRATE_DUMP, stateDir, false)
err2 := CollectCRIULogFile(sourceContainer, stateDir, 
"snapshot", "dump")
if err2 != nil {
shared.Log.Warn("failed to collect criu log file", 
log.Ctx{"error": err2})
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 2f48cfa..6f3f117 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1385,8 +1385,7 @@ func (c *containerLXC) Stop(stateful bool) error {
}
 
// Checkpoint
-   opts := lxc.CheckpointOptions{Directory: stateDir, Stop: true, 
Verbose: true}
-   err = c.Checkpoint(opts)
+   err = c.Migrate(lxc.MIGRATE_DUMP, stateDir, true)
err2 := CollectCRIULogFile(c, stateDir, "snapshot", "dump")
if err2 != nil {
shared.Log.Warn("failed to collect criu log file", 
log.Ctx{"error": err2})
@@ -2712,14 +2711,19 @@ func (c *containerLXC) Export(w io.Writer) error {
return tw.Close()
 }
 
-func (c *containerLXC) Checkpoint(opts lxc.CheckpointOptions) error {
-   // Load the go-lxc struct
+func (c *containerLXC) Migrate(cmd uint, stateDir string, stop bool) error {
err := c.initLXC()
if err != nil {
return err
}
 
-   return c.c.Checkpoint(opts)
+   opts := lxc.MigrateOptions{
+   Stop: stop,
+   Directory: stateDir,
+   Verbose: true,
+   }
+
+   return c.c.Migrate(cmd, opts)
 }
 
 func (c *containerLXC) TemplateApply(trigger string) error {
diff --git a/lxd/migrate.go b/lxd/migrate.go
index fdaab35..627e6d0 100644
--- a/lxd/migrate.go
+++ b/lxd/migrate.go
@@ -368,8 +368,7 @@ func (s *migrationSourceWs) Do(op *operation) error {
}
defer os.RemoveAll(checkpointDir)
 
-   opts := lxc.CheckpointOptions{Stop: true, Directory: 
checkpointDir, Verbose: true}
-   err = s.container.Checkpoint(opts)
+   err = s.container.Migrate(lxc.MIGRATE_DUMP, checkpointDir, true)
 
if err2 := CollectCRIULogFile(s.container, checkpointDir, 
"migration", "dump"); err2 != nil {
shared.Debugf("Error collecting checkpoint log file 
%s", err)

From aba85baec275f692c4d1adff044df577518a7055 Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 14 Jun 2016 17:40:34 +
Subject: [PATCH 2/2] simplify checkpoint/restore code everywhere

Some problems:

* We had various entry points for migration, each which collected logs in
  various different and inconsistent ways.
* We also had the StartFromMigrate call, and a Migrate() to which you could
  pass lxc.MIGRATE_RESTORE, which wasn't an obvious API.
* at each point we had a check that did the rootfs shifting if necessary
* we had to do findCriu everywhere manually

Now that we have a Migrate() call, let's just route everything through
that, and handle all of this in a uniform way.

Note that some findCriu calls are still prudent to do e.g. in snapshot
restore, before we actually do all the filesystem work to restore stuff if
the snapshot is stateful. I've left those sorts of calls in.

Note: this is a modified version (dropping the preserveInodes bits) from

[lxc-devel] [lxd/master] Simplify migration code

[tych0 on Github]

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2120

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 31f1e20ca1c97e5a0b857502697fb1f9c6a8b5af Mon Sep 17 00:00:00 2001
From: Tycho Andersen 
Date: Tue, 14 Jun 2016 17:40:34 +
Subject: [PATCH 1/2] simplify checkpoint/restore code everywhere

Some problems:

* We had various entry points for migration, each which collected logs in
  various different and inconsistent ways.
* We also had the StartFromMigrate call, and a Migrate() to which you could
  pass lxc.MIGRATE_RESTORE, which wasn't an obvious API.
* at each point we had a check that did the rootfs shifting if necessary
* we had to do findCriu everywhere manually

Now that we have a Migrate() call, let's just route everything through
that, and handle all of this in a uniform way.

Note that some findCriu calls are still prudent to do e.g. in snapshot
restore, before we actually do all the filesystem work to restore stuff if
the snapshot is stateful. I've left those sorts of calls in.

Signed-off-by: Tycho Andersen 
---
 lxd/container.go |  12 +--
 lxd/container_lxc.go | 246 +--
 lxd/migrate.go   |  93 +--
 3 files changed, 143 insertions(+), 208 deletions(-)

diff --git a/lxd/container.go b/lxd/container.go
index f4a6307..09a6567 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -11,8 +11,6 @@ import (
"gopkg.in/lxc/go-lxc.v2"
 
"github.com/lxc/lxd/shared"
-
-   log "gopkg.in/inconshreveable/log15.v2"
 )
 
 // Helper functions
@@ -378,8 +376,7 @@ type container interface {
 
// Snapshots & migration
Restore(sourceContainer container) error
-   Migrate(cmd uint, stateDir string, stop bool) error
-   StartFromMigration(imagesDir string) error
+   Migrate(cmd uint, stateDir string, function string, stop bool) error
Snapshots() ([]container, error)
 
// Config handling
@@ -565,12 +562,7 @@ func containerCreateAsSnapshot(d *Daemon, args 
containerArgs, sourceContainer co
 * after snapshotting will fail.
 */
 
-   err = sourceContainer.Migrate(lxc.MIGRATE_DUMP, stateDir, false)
-   err2 := CollectCRIULogFile(sourceContainer, stateDir, 
"snapshot", "dump")
-   if err2 != nil {
-   shared.Log.Warn("failed to collect criu log file", 
log.Ctx{"error": err2})
-   }
-
+   err = sourceContainer.Migrate(lxc.MIGRATE_DUMP, stateDir, 
"snapshot", false)
if err != nil {
os.RemoveAll(sourceContainer.StatePath())
return nil, err
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 2623174..e654e7a 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2,6 +2,7 @@ package main
 
 import (
"archive/tar"
+   "bufio"
"encoding/json"
"fmt"
"io"
@@ -1168,30 +1169,7 @@ func (c *containerLXC) Start(stateful bool) error {
return fmt.Errorf("Container has no existing state to 
restore.")
}
 
-   if err := findCriu("snapshot"); err != nil {
-   return err
-   }
-
-   if !c.IsPrivileged() {
-   if err := c.IdmapSet().ShiftRootfs(c.StatePath()); err 
!= nil {
-   return err
-   }
-   }
-
-   out, err := exec.Command(
-   execPath,
-   "forkmigrate",
-   c.name,
-   c.daemon.lxcpath,
-   configPath,
-   c.StatePath()).CombinedOutput()
-   if string(out) != "" {
-   for _, line := range 
strings.Split(strings.TrimRight(string(out), "\n"), "\n") {
-   shared.Debugf("forkmigrate: %s", line)
-   }
-   }
-   CollectCRIULogFile(c, c.StatePath(), "snapshot", "restore")
-
+   err := c.Migrate(lxc.MIGRATE_RESTORE, c.StatePath(), 
"snapshot", false)
if err != nil && !c.IsRunning() {
return err
}
@@ -1239,41 +1217,6 @@ func (c *containerLXC) Start(stateful bool) error {
return nil
 }
 
-func (c *containerLXC) StartFromMigration(imagesDir string) error {
-   // Run the shared start code
-   configPath, err := c.startCommon()
-   if err != nil {
-   return err
-   }
-
-   // Start the LXC container
-   out, err := exec.Command(
-   execPath,
-   "forkmigrate",
-   c.name,