[lxc-devel] [lxc/master] apparmor: generate ro, bind, remount rule list
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3343
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
and update to changes based on lxd
Signed-off-by: Wolfgang Bumiller
From 03876523e48bfd72bc228adb5450521a0259b35b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller
Date: Fri, 2 Aug 2019 12:57:42 +0200
Subject: [PATCH] apparmor: generate ro,bind,remount rule list
and update to changes based on lxd
Signed-off-by: Wolfgang Bumiller
---
src/lxc/lsm/apparmor.c | 124 -
1 file changed, 110 insertions(+), 14 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index e34d999a19..49952198b7 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -132,6 +132,16 @@ static const char AA_PROFILE_BASE[] =
"# mount options=(rw,make-unbindable) -> **,\n"
"# mount options=(rw,make-runbindable) -> **,\n"
"\n"
+"# Allow limited modification of mount propagation\n"
+" mount options=(rw,make-slave) -> /,\n"
+" mount options=(rw,make-rslave) -> /,\n"
+" mount options=(rw,make-shared) -> /,\n"
+" mount options=(rw,make-rshared) -> /,\n"
+" mount options=(rw,make-private) -> /,\n"
+" mount options=(rw,make-rprivate) -> /,\n"
+" mount options=(rw,make-unbindable) -> /,\n"
+" mount options=(rw,make-runbindable) -> /,\n"
+"\n"
" # allow bind-mounts of anything except /proc, /sys and /dev\n"
" mount options=(rw,bind) /[^spd]*{,/**},\n"
" mount options=(rw,bind) /d[^e]*{,/**},\n"
@@ -150,15 +160,18 @@ static const char AA_PROFILE_BASE[] =
" mount options=(rw,bind) /sy[^s]*{,/**},\n"
" mount options=(rw,bind) /sys?*{,/**},\n"
"\n"
-" # allow various ro-bind-*re*-mounts\n"
-" mount options=(ro,remount,bind),\n"
-" mount options=(ro,remount,bind,nosuid),\n"
-" mount options=(ro,remount,bind,noexec),\n"
-" mount options=(ro,remount,bind,nodev),\n"
-" mount options=(ro,remount,bind,nosuid,noexec),\n"
-" mount options=(ro,remount,bind,noexec,nodev),\n"
-" mount options=(ro,remount,bind,nodev,nosuid),\n"
-" mount options=(ro,remount,bind,nosuid,noexec,nodev),\n"
+" # Allow rbind-mounts of anything except /, /dev, /proc and /sys\n"
+" mount options=(rw,rbind) /[^spd]*{,/**},\n"
+" mount options=(rw,rbind) /d[^e]*{,/**},\n"
+" mount options=(rw,rbind) /de[^v]*{,/**},\n"
+" mount options=(rw,rbind) /dev?*{,/**},\n"
+" mount options=(rw,rbind) /p[^r]*{,/**},\n"
+" mount options=(rw,rbind) /pr[^o]*{,/**},\n"
+" mount options=(rw,rbind) /pro[^c]*{,/**},\n"
+" mount options=(rw,rbind) /proc?*{,/**},\n"
+" mount options=(rw,rbind) /s[^y]*{,/**},\n"
+" mount options=(rw,rbind) /sy[^s]*{,/**},\n"
+" mount options=(rw,rbind) /sys?*{,/**},\n"
"\n"
" # allow moving mounts except for /proc, /sys and /dev\n"
" mount options=(rw,move) /[^spd]*{,/**},\n"
@@ -324,12 +337,13 @@ static const char AA_PROFILE_NESTING_BASE[] =
"\n"
" mount fstype=proc -> /usr/lib/*/lxc/**,\n"
" mount fstype=sysfs -> /usr/lib/*/lxc/**,\n"
-" mount options=(rw,bind),\n"
-" mount options=(rw,rbind),\n"
-" mount options=(rw,make-rshared),\n"
"\n"
- /* FIXME: What's the state here on apparmor's side? */
-" # there doesn't seem to be a way to ask for:\n"
+" # Allow nested LXD\n"
+" mount none -> /var/lib/lxd/shmounts/,\n"
+" mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,\n"
+" mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,\n"
+"\n"
+" # FIXME: There doesn't seem to be a way to ask for:\n"
" # mount options=(ro,nosuid,nodev,noexec,remount,bind),\n"
" # as we always get mount to $cdir/proc/sys with those flags denied\n"
" # So allow all mounts until that is straightened out:\n"
@@ -631,6 +645,86 @@ static bool is_privileged(struct lxc_conf *conf)
return lxc_list_empty(&conf->id_map);
}
+static const char* AA_ALL_DEST_PATH_LIST[] = {
+ " -> /[^spd]*{,/**},\n",
+ " -> /d[^e]*{,/**},\n",
+ " -> /de[^v]*{,/**},\n",
+ " -> /dev/.[^l]*{,/**},\n",
+ " -> /dev/.l[^x]*{,/**},\n",
+ " -> /dev/.lx[^c]*{,/**},\n",
+ " -> /dev/.lxc?*{,/**},\n",
+ " -> /dev/[^.]*{,/**},\n",
+ " -> /dev?*{,/**},\n",
+ " -> /p[^r]*{,/**},\n",
+ " -> /pr[^o]*{,/**},\n",
+ " -> /pro[^c]*{,/**},\n",
+ " -> /proc?*{,/**},\n",
+ " -> /s[^y]*{,/**},\n",
+ " -> /sy[^s]*{,/**},\n",
+ " -> /sys?*{,/**},\n",
+ NULL,
+};
+
+static const struct mntopt_t {
+ const char *opt;
+ size_t len;
+} REMOUNT_OPTIONS[] = {
+ { ",nodev", sizeof(",nodev")-1 },
+ { ",nosuid", sizeof(",nosuid")-1 },
+ { ",noexec", sizeof(",noexec")-1 },
+};
+
+static void append_remount_rule(char **profile, size_t *size, const char *rule)
+{
+ size_t rule_len = strlen(rule);
+
+ for (const char **dest = AA_ALL_DEST_PATH_LIST; *dest; ++dest) {
[lxc-devel] [lxd/master] NIC Bridged: Use of network argument when detecting parent
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7115
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Also improves host_name state reporting when using VM with lxd-agent running.
From 4e1ecc846a238d6ebae63c38010abb5ff2dd1cb1 Mon Sep 17 00:00:00 2001
From: Thomas Parrott
Date: Wed, 1 Apr 2020 09:20:12 +0100
Subject: [PATCH 1/3] lxc/network: Updates network detach checks to use bridged
network property
Signed-off-by: Thomas Parrott
---
lxc/network.go | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lxc/network.go b/lxc/network.go
index 76e5f06b78..2c24635e5a 100644
--- a/lxc/network.go
+++ b/lxc/network.go
@@ -415,7 +415,7 @@ func (c *cmdNetworkDetach) Run(cmd *cobra.Command, args
[]string) error {
// Find the device
if devName == "" {
for n, d := range inst.Devices {
- if d["type"] == "nic" && d["parent"] == resource.name {
+ if d["type"] == "nic" && (d["parent"] == resource.name
|| d["network"] == resource.name) {
if devName != "" {
return fmt.Errorf(i18n.G("More than one
device matches, specify the device name"))
}
@@ -434,7 +434,7 @@ func (c *cmdNetworkDetach) Run(cmd *cobra.Command, args
[]string) error {
return fmt.Errorf(i18n.G("The specified device doesn't exist"))
}
- if device["type"] != "nic" || device["parent"] != resource.name {
+ if device["type"] != "nic" || (device["parent"] != resource.name &&
device["network"] != resource.name) {
return fmt.Errorf(i18n.G("The specified device doesn't match
the network"))
}
@@ -500,7 +500,7 @@ func (c *cmdNetworkDetachProfile) Run(cmd *cobra.Command,
args []string) error {
// Find the device
if devName == "" {
for n, d := range profile.Devices {
- if d["type"] == "nic" && d["parent"] == resource.name {
+ if d["type"] == "nic" && (d["parent"] == resource.name
|| d["network"] == resource.name) {
if devName != "" {
return fmt.Errorf(i18n.G("More than one
device matches, specify the device name"))
}
@@ -519,7 +519,7 @@ func (c *cmdNetworkDetachProfile) Run(cmd *cobra.Command,
args []string) error {
return fmt.Errorf(i18n.G("The specified device doesn't exist"))
}
- if device["type"] != "nic" || device["parent"] != resource.name {
+ if device["type"] != "nic" || (device["parent"] != resource.name &&
device["network"] != resource.name) {
return fmt.Errorf(i18n.G("The specified device doesn't match
the network"))
}
From 7b26c661a4b4bec3c71d835ddc0435a88969eb33 Mon Sep 17 00:00:00 2001
From: Thomas Parrott
Date: Wed, 1 Apr 2020 10:24:42 +0100
Subject: [PATCH 2/3] lxd/network/network/utils: Updates network setting
detection in IsInUse
Signed-off-by: Thomas Parrott
---
lxd/network/network_utils.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lxd/network/network_utils.go b/lxd/network/network_utils.go
index e61b90a00d..91c6c632a0 100644
--- a/lxd/network/network_utils.go
+++ b/lxd/network/network_utils.go
@@ -38,8 +38,9 @@ func IsInUse(c instance.Instance, networkName string) bool {
continue
}
- if d["network"] == networkName {
- return true
+ // Temporarily populate parent from network setting if used.
+ if d["network"] != "" {
+ d["parent"] = d["network"]
}
if d["parent"] == "" {
From 6b1a72d5deae8bd03408943d91d4cfd36e5820a7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott
Date: Wed, 1 Apr 2020 10:25:07 +0100
Subject: [PATCH 3/3] lxd/instance/drivers/driver/qemu: Adds host_name info to
RenderState when lxd-agent is running
Previously only agentless state info had host_name.
Signed-off-by: Thomas Parrott
---
lxd/instance/drivers/driver_qemu.go | 40 -
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/lxd/instance/drivers/driver_qemu.go
b/lxd/instance/drivers/driver_qemu.go
index c603f7f58b..9fc600074c 100644
--- a/lxd/instance/drivers/driver_qemu.go
+++ b/lxd/instance/drivers/driver_qemu.go
@@ -3604,18 +3604,20 @@ func (vm *qemu) RenderState() (*api.InstanceState,
error) {
pid, _ := vm.pid()
if statusCode == api.Running {
+ // Try and get state info from agent.
status, err := vm.agentGetState()
if err != nil {
if err != errQem
[lxc-devel] [linuxcontainers.org/master] Add Japanese release announcement of LXC 4.0.0
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/linuxcontainers.org/pull/401 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === From 50b7e545ed8f738bed3e6eb410918c7956a62632 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Wed, 1 Apr 2020 20:07:22 +0900 Subject: [PATCH 1/3] Add Japanese release announcement of LXC 4.0.0 Signed-off-by: KATOH Yasufumi --- content/lxc/news.ja/lxc-4.0.0.yaml | 499 + 1 file changed, 499 insertions(+) create mode 100644 content/lxc/news.ja/lxc-4.0.0.yaml diff --git a/content/lxc/news.ja/lxc-4.0.0.yaml b/content/lxc/news.ja/lxc-4.0.0.yaml new file mode 100644 index 000..207023b --- /dev/null +++ b/content/lxc/news.ja/lxc-4.0.0.yaml @@ -0,0 +1,499 @@ +title: LXC 4.0 LTS リリースのお知らせ +date: 2020/03/25 13:03 +origin: https://discuss.linuxcontainers.org/t/lxc-4-0-lts-has-been-released/7182 +content: |- + ### はじめに + + LXC チームは LXC 4.0.0 のリリースをお知らせできてとてもうれしいです! + + + このリリースは LXC 3.0.0 リリース以来 2 年に渡る作業の結果で、LXC プロジェクトにとって 3 つめの LTS リリースです。このリリースは 2025 年 6 月までサポートされます。 + + ### 主な変更点 + + cgroups: cgroup2 のフルサポート + + LXC 4.0 は cgroup v2(単一)階層を完全にサポートするようになりました。この作業のために、cgroup ドライバーを完全に書き直しました。この作業の結果、LXC コンテナの cgroup レイアウトが変更されました。古いバージョンの LXC は次のようなレイアウトを使っていました: + + /sys/fs/cgroup/// + + + 例えば、cgroup v1 の `cpuset` 階層では、コンテナの init プロセスは次の場所に置かれていました。 + + /sys/fs/cgroup/cpuset/c1/ + + + 監視モニタープロセスは次の場所にありました。 + + /sys/fs/cgroup/cpuset/ + + + LXC 4.0 は次のようなレイアウトを使います: + + /sys/fs/cgroup//lxc.payload./ + + + コンテナ `f2` 用の cgroup v1 階層内の `cpuset` コントローラーは次のようになります: + + /sys/fs/cgroup/cpuset/lxc.payload.f2/ + + + モニタープロセスも別の場所に移動しました: + + /sys/fs/cgroup//lxc.monitor./ + + + 前述の例だと、モニタープロセスの場所は次のようになります: + + /sys/fs/cgroup/cpuset/lxc.monitor.f2/ + + + モニターとコンテナの cgroup は一致する cgroup 階層の同じレベルに置かれます。 + この変更は cgroup v1 と v2(単一)階層の両方に適用されます。任意に設定できるものではありません。新しい cgroup v2(単一)階層では、プロセスを cgroup 階層のどこにどのように移動できるかに特定の制限が課されます。もっとも重要な制限はリーフノード制限です。これはリーフ(末端の)ノードのみがプロセスを持てるということです。つまり、次のような cgroup ツリーがあったとします + + + /sys/fs/cgroup/a/f2-monitor/f2-container/ + + + この場合、`f2-container` のみがプロセスを持てます。いっぽうでリーフノードではない `a` と `f2-monitor` はプロセスを持てません。これは、モニタープロセスが `f2-monitor` 内に、コンテナの init プロセスが `f2-container` 内にいるような LXC が使っていた古い cgroup レイアウトは今後は持てないということです。カーネルがこのレイアウトを認めません。代わりに、モニタープロセスとコンテナの init プロセスを cgroup 階層の同じレベルとなるふたつのリーフノードに移動させる必要があります。これによりコンテナ `f2` のレイアウトは次のようになります: + + + /sys/fs/cgroup/lxc.monitor.f2/ + + そして + + /sys/fs/cgroup/lxc.payload.f2/ + + + cgroup v2(単一)階層が強制する制限は、完全に非特権のコンテナを起動するには、cgroup を管理する init システムを使ったディストリビューションの協力が必要であるということも意味します。コンテナがシェルから `lxc-start` や他の手段で起動した場合、LXC が root cgroup にエスケープするために root になる必要があるか、もしくは init システムが空の cgroup を委任するように指示する必要があります。このようなシナリオでは、LXC が root cgroup へエスケープするのを防ぐように、`lxc.cgroup.relative` を `1` に設定するのが賢明です。 + + cgroups: cgroup v2 での freezer サポート + + LXC 4.0 での cgroup v2 サポートの一部として、cgroup v2 の freezer コントローラー実装のサポートも追加しました。cgroup が凍結または解凍されるまでポーリングできるようになり、コンテナの凍結と解凍が以前より信頼性が以前より増しました。 + + cgroups: cgroup v2 での eBPF デバイスコントローラーのサポート + + LXC 4.0 は cgroup v2 のデバイスコントローラーをより適切に利用できるようになりました。これはコンテナの cgroup の作成、ロード、eBPF プログラムのアタッチが自動的に行われ、ルールの動的な追加・削除をサポートします。設定フォーマットは cgroup v1 コントローラーのものと同じです。`lxc.cgroup.devices` の代わりに `lxc.cgroup2.devices` だけを使う必要があります。LXC はブラックリストとホワイトリストの両方をサポートし続けます。 + + AppArmor: `/proc/acpi/**` へのアクセス拒否 + + デフォルトの AppArmor プロファイルは、安全性の向上のために `/proc/acpi` へのアクセスを拒否するようになりました。 + + config: `lxc.autodev.tmpfs.size` 設定キーの追加 + + LXC はコンテナが使用可能な最小の `/dev` ディレクトリの作成をサポートしています。これは `lxc.autodev = 1` で設定します。この作成のために、LXC は `/dev` に `tmpfs` マウントを設定します。この `tmpfs` マウントはこれまでのバージョンでは制限できませんでした。この `tmpfs` マウントのサイズ制限が設定できるようになりました。これは `lxc.autodev.tmpfs.size` に `tmpfs` が使用する制限をバイト数で設定します。 + + config: `lxc.selinux.context.keyring` 設定キーの追加 + + この設定で、コンテナが使うキーリングに使う `selinux` コンテキストを指定できます。 + + config: `lxc.keyring.session` 設定キーの追加 + + これを `1` (デフォルト)に設定すると LXC に新しいセッションキーリングを作成します。 + + file utils: `fopen_cached()` と `fdopen_cached` の追加 + + これらのヘルパーは、最初に全ファイルを読み込み、通常のファイルベースの libc API 経由で読むためにストリームとして使えるようにします。これにより、読み込まれている間に元となるファイルが変更される可能性がある場合に、LXC のさまざまなファイルの扱いがより強固になります。 + + api: 新しい `init_pidfd()` メンバーの追加 + + LXC 4.0 では、LXC チームがアップストリームのカーネルにマージした新しい pidfd カーネル API を完全にサポートします。コンテナの init プロセスの `pidfd` は `c->init_pidfd(c)` 経由でリクエストできます。 + + memory utils: Add new cleanup api + + LXC 4.0 で、複雑なリソース割り当てのためのクリーンアップマクロを定義し、呼ぶための新しい内部 API を導入し、コンパイラーのクリーンアップ属性の使用を拡張しました。このリソースクリーンアップの新しい方法に切り替えることで、ファイルディスクリプターとメモリーリークが大幅に減少し、非常に良い結果が得られました。 + + lxc-usernsexec: 自身の uid をマップするのが簡単に + + `lxc-usernsexec` バイナリーは `/etc/subuid` と `/etc/subgid` で指定するデフォルトのマッピングを参照し、それを `newuidmap` と `newgidmap` で書くようになりました。 + +
[lxc-devel] [lxc/master] fix non-root user cannot write /dev/stdout
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3344
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: gaohuatao
From 6aff5157220de749afc559901d990c5088ca8143 Mon Sep 17 00:00:00 2001
From: gaohuatao
Date: Wed, 1 Apr 2020 09:36:44 -0400
Subject: [PATCH] fix non-root user cannot write /dev/stdout
Signed-off-by: gaohuatao
---
src/lxc/attach.c | 3 +++
src/lxc/start.c | 3 +++
src/lxc/utils.c | 45 +
src/lxc/utils.h | 3 +++
4 files changed, 54 insertions(+)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 15cc5f3793..07eb814c9a 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -875,6 +875,9 @@ static int attach_child_main(struct attach_clone_payload
*payload)
if (new_gid == ns_root_gid)
new_gid = LXC_INVALID_GID;
+
+ /* Make sure that the processes STDIO is correctly owned by the user
that we are switching to */
+ fix_stdio_permissions(new_uid);
if (!lxc_switch_uid_gid(new_uid, new_gid))
goto on_error;
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 328516c976..b97347ded8 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1365,6 +1365,9 @@ static int do_start(void *data)
if (new_gid == nsgid)
new_gid = LXC_INVALID_GID;
+
+ /* Make sure that the processes STDIO is correctly owned by the user
that we are switching to */
+ fix_stdio_permissions(new_uid);
/* If we are in a new user namespace we already dropped all groups when
* we switched to root in the new user namespace further above. Only
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 97507fe642..96c35e8084 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1860,3 +1860,48 @@ bool lxc_can_use_pidfd(int pidfd)
return log_trace(true, "Kernel supports pidfds");
}
+
+void fix_stdio_permissions(uid_t uid)
+{
+ int std_fds[3] = {STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO};
+ int devnull_fd = -1;
+ int ret;
+ int i = 0;
+ struct stat st;
+ struct stat null_st;
+
+ devnull_fd = open_devnull();
+ if (devnull_fd < 0) {
+ ERROR("Open /dev/null failed");
+ goto out;
+ }
+
+ ret = fstat(devnull_fd, &null_st);
+
+ for (; i < 3; i++) {
+ ret = fstat(std_fds[i], &st);
+ if (ret != 0) {
+ ERROR("Failed to get fd %d stat", std_fds[i]);
+ continue;
+ }
+
+ if (st.st_rdev == null_st.st_rdev) {
+ continue;
+ }
+
+ ret = fchown(std_fds[i], uid, st.st_gid);
+ if (ret != 0) {
+ ERROR("Failed to change fd %d owner", std_fds[i]);
+ }
+
+ ret = fchmod(std_fds[i], 0700);
+ if (ret != 0) {
+ ERROR("Failed to change fd %d mode", std_fds[i]);
+ }
+ }
+
+out:
+ if (devnull_fd >= 0) {
+ close(devnull_fd);
+ }
+}
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 4ab41bf1f4..bd7a86136b 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -239,4 +239,7 @@ extern int lxc_rm_rf(const char *dirname);
extern int lxc_setup_keyring(char *keyring_label);
extern bool lxc_can_use_pidfd(int pidfd);
+/* Fix the permissions of init PID's STDIO within the container to the
specified user */
+extern void fix_stdio_permissions(uid_t uid);
+
#endif /* __LXC_UTILS_H */
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Storage: UUID regeneration unification
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7117
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Ceph and LVM do regeneration of filesystem UUIDs differently so this PR aims to unify their approaches taking the best bits of each.
Also partially undoes https://github.com/lxc/lxd/pull/7071 as this was causing filesystem UUIDs to be regenerated when generating a backup.yaml file which is done when taking new snapshots, which ultimately was slowing down taking new snapshots. A fix for this will be followed in a separate PR.
From 57a6c1941419b29b611cd90f4254390c417eb0e5 Mon Sep 17 00:00:00 2001
From: Thomas Parrott
Date: Wed, 1 Apr 2020 14:08:10 +0100
Subject: [PATCH 1/2] lxd/storage/drivers/driver/lvm/volumes: Mount xfs
snapshot with nouuid option
Avoids regeneration of UUID expense when just mounting the snapshot.
Signed-off-by: Thomas Parrott
---
lxd/storage/drivers/driver_lvm_volumes.go | 26 ---
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/lxd/storage/drivers/driver_lvm_volumes.go
b/lxd/storage/drivers/driver_lvm_volumes.go
index aa15f5b73c..49cc983ed7 100644
--- a/lxd/storage/drivers/driver_lvm_volumes.go
+++ b/lxd/storage/drivers/driver_lvm_volumes.go
@@ -418,7 +418,7 @@ func (d *lvm) MountVolume(vol Volume, op
*operations.Operation) (bool, error) {
if err != nil {
return false, errors.Wrapf(err, "Failed to mount LVM
logical volume")
}
- d.logger.Debug("Mounted logical volume", log.Ctx{"dev":
volDevPath, "path": mountPath})
+ d.logger.Debug("Mounted logical volume", log.Ctx{"dev":
volDevPath, "path": mountPath, "options": mountOptions})
return true, nil
}
@@ -641,6 +641,7 @@ func (d *lvm) MountVolumeSnapshot(snapVol Volume, op
*operations.Operation) (boo
// Default to mounting the original snapshot directly. This may
be changed below if a temporary
// snapshot needs to be taken.
mountVol := snapVol
+ mountFlags, mountOptions :=
resolveMountOptions(d.volumeMountOptions(mountVol))
// Regenerate filesystem UUID if needed. This is because some
filesystems do not allow mounting
// multiple volumes that share the same UUID. As snapshotting a
volume will copy its UUID we need
@@ -666,11 +667,21 @@ func (d *lvm) MountVolumeSnapshot(snapVol Volume, op
*operations.Operation) (boo
})
tmpVolDevPath := d.lvmDevPath(d.config["lvm.vg_name"],
tmpVol.volType, tmpVol.contentType, tmpVol.name)
-
- d.logger.Debug("Regenerating filesystem UUID",
log.Ctx{"dev": tmpVolDevPath, "fs": d.volumeFilesystem(tmpVol)})
- err =
regenerateFilesystemUUID(d.volumeFilesystem(tmpVol), tmpVolDevPath)
- if err != nil {
- return false, err
+ tmpVolFsType := d.volumeFilesystem(tmpVol)
+
+ // When mounting XFS filesystems temporarily we can use
the nouuid option rather than fully
+ // regenerating the filesystem UUID.
+ if tmpVolFsType == "xfs" {
+ idx := strings.Index(mountOptions, "nouuid")
+ if idx < 0 {
+ mountOptions += ",nouuid"
+ }
+ } else {
+ d.logger.Debug("Regenerating filesystem UUID",
log.Ctx{"dev": tmpVolDevPath, "fs": d.volumeFilesystem(tmpVol)})
+ err =
regenerateFilesystemUUID(d.volumeFilesystem(tmpVol), tmpVolDevPath)
+ if err != nil {
+ return false, err
+ }
}
// We are going to mount the temporary volume instead.
@@ -679,12 +690,11 @@ func (d *lvm) MountVolumeSnapshot(snapVol Volume, op
*operations.Operation) (boo
// Finally attempt to mount the volume that needs mounting.
volDevPath := d.lvmDevPath(d.config["lvm.vg_name"],
mountVol.volType, mountVol.contentType, mountVol.name)
- mountFlags, mountOptions :=
resolveMountOptions(d.volumeMountOptions(snapVol))
err := TryMount(volDevPath, mountPath,
d.volumeFilesystem(mountVol), mountFlags|unix.MS_RDONLY, mountOptions)
if err != nil {
return false, errors.Wrapf(err, "Failed to mount LVM
snapshot volume")
}
- d.logger.Debug("Mounted logical volume snapshot",
log.Ctx{"dev": volDevPath, "path": mountP
[lxc-devel] [lxc-ci/master] images/apertis: Enable systemd-{network, resolve}d
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc-ci/pull/139
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From c8bc6bf5d215f50c6a90e28c1bc27d9abd5a12d5 Mon Sep 17 00:00:00 2001
From: Thomas Hipp
Date: Wed, 1 Apr 2020 18:23:06 +0200
Subject: [PATCH] images/apertis: Enable systemd-{network,resolve}d
Signed-off-by: Thomas Hipp
---
images/apertis.yaml | 4
1 file changed, 4 insertions(+)
diff --git a/images/apertis.yaml b/images/apertis.yaml
index 0486463..476decb 100644
--- a/images/apertis.yaml
+++ b/images/apertis.yaml
@@ -78,6 +78,10 @@ actions:
rm /etc/resolv.conf
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
+ln -s /lib/systemd/system/systemd-networkd.service
/etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+ln -s /lib/systemd/system/systemd-networkd.socket
/etc/systemd/system/multi-user.target.wants/systemd-networkd.socket
+ln -s /lib/systemd/system/systemd-resolved.service
/etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
environment:
variables:
- key: TMPDIR
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 8fddf0: apparmor: generate ro, bind, remount rule list
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8fddf007b92a62a69eb09de6beafbbf731e91b54 https://github.com/lxc/lxc/commit/8fddf007b92a62a69eb09de6beafbbf731e91b54 Author: Wolfgang Bumiller Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M src/lxc/lsm/apparmor.c Log Message: --- apparmor: generate ro,bind,remount rule list and update to changes based on lxd Signed-off-by: Wolfgang Bumiller Commit: 632dd634f98ef097f8e1d07e627dced5a8b0be17 https://github.com/lxc/lxc/commit/632dd634f98ef097f8e1d07e627dced5a8b0be17 Author: Christian Brauner Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M src/lxc/lsm/apparmor.c Log Message: --- Merge pull request #3343 from Blub/apparmor-mount-rule-generation apparmor: generate ro,bind,remount rule list Compare: https://github.com/lxc/lxc/compare/f66fdf23389a...632dd634f98e ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] fixes
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3345
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Christian Brauner
From 52520e4f793f73e5956c2d9de9c83f074622ce1d Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Mon, 30 Mar 2020 22:26:10 +0200
Subject: [PATCH 1/2] start: remove unnecessary check for valid cgroup_ops
Signed-off-by: Christian Brauner
---
src/lxc/start.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 328516c976..5f70bf2379 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -933,10 +933,8 @@ void lxc_end(struct lxc_handler *handler)
lsm_process_cleanup(handler->conf, handler->lxcpath);
- if (cgroup_ops) {
- cgroup_ops->payload_destroy(cgroup_ops, handler);
- cgroup_ops->monitor_destroy(cgroup_ops, handler);
- }
+ cgroup_ops->payload_destroy(cgroup_ops, handler);
+ cgroup_ops->monitor_destroy(cgroup_ops, handler);
if (handler->conf->reboot == REBOOT_NONE) {
/* For all new state clients simply close the command socket.
From f553c217467b26c6e134f8060d7635b4e0a20128 Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Wed, 1 Apr 2020 22:25:53 +0200
Subject: [PATCH 2/2] autotools: don't install run-coccinelle.sh
Signed-off-by: Christian Brauner
---
coccinelle/Makefile.am | 2 --
1 file changed, 2 deletions(-)
diff --git a/coccinelle/Makefile.am b/coccinelle/Makefile.am
index a3c8b03d95..059f5df41b 100644
--- a/coccinelle/Makefile.am
+++ b/coccinelle/Makefile.am
@@ -3,5 +3,3 @@
EXTRA_DIST = exit.cocci \
run-coccinelle.sh \
while-true.cocci
-
-bin_SCRIPTS = run-coccinelle.sh
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 52520e: start: remove unnecessary check for valid cgroup_ops
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 52520e4f793f73e5956c2d9de9c83f074622ce1d https://github.com/lxc/lxc/commit/52520e4f793f73e5956c2d9de9c83f074622ce1d Author: Christian Brauner Date: 2020-03-31 (Tue, 31 Mar 2020) Changed paths: M src/lxc/start.c Log Message: --- start: remove unnecessary check for valid cgroup_ops Signed-off-by: Christian Brauner Commit: f553c217467b26c6e134f8060d7635b4e0a20128 https://github.com/lxc/lxc/commit/f553c217467b26c6e134f8060d7635b4e0a20128 Author: Christian Brauner Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M coccinelle/Makefile.am Log Message: --- autotools: don't install run-coccinelle.sh Signed-off-by: Christian Brauner Commit: 955ec68d768d9219ea3e1137dc393e671305f6fe https://github.com/lxc/lxc/commit/955ec68d768d9219ea3e1137dc393e671305f6fe Author: Stéphane Graber Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M coccinelle/Makefile.am M src/lxc/start.c Log Message: --- Merge pull request #3345 from brauner/2020-03-30/fixes fixes Compare: https://github.com/lxc/lxc/compare/632dd634f98e...955ec68d768d ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] systemd: Add Documentation key
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3346 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Stéphane Graber From 9409ea35a048c208cee0a3318fd7794fce8aeaac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 1 Apr 2020 16:57:15 -0400 Subject: [PATCH] systemd: Add Documentation key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- config/init/systemd/lxc-monitord.service.in | 1 + config/init/systemd/lxc-net.service.in | 1 + 2 files changed, 2 insertions(+) diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in index 4063516887..f528a60995 100644 --- a/config/init/systemd/lxc-monitord.service.in +++ b/config/init/systemd/lxc-monitord.service.in @@ -1,6 +1,7 @@ [Unit] Description=LXC Container Monitoring Daemon After=syslog.service network.target +Documentation=man:lxc [Service] Type=simple diff --git a/config/init/systemd/lxc-net.service.in b/config/init/systemd/lxc-net.service.in index 1b8ef99426..6ed8cd82bb 100644 --- a/config/init/systemd/lxc-net.service.in +++ b/config/init/systemd/lxc-net.service.in @@ -2,6 +2,7 @@ Description=LXC network bridge setup After=network-online.target Before=lxc.service +Documentation=man:lxc [Service] Type=oneshot ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 9409ea: systemd: Add Documentation key
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 9409ea35a048c208cee0a3318fd7794fce8aeaac https://github.com/lxc/lxc/commit/9409ea35a048c208cee0a3318fd7794fce8aeaac Author: Stéphane Graber Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M config/init/systemd/lxc-monitord.service.in M config/init/systemd/lxc-net.service.in Log Message: --- systemd: Add Documentation key Signed-off-by: Stéphane Graber Commit: 5f2ed0c09f9966983042dfeb546824def694a7fb https://github.com/lxc/lxc/commit/5f2ed0c09f9966983042dfeb546824def694a7fb Author: Christian Brauner Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M config/init/systemd/lxc-monitord.service.in M config/init/systemd/lxc-net.service.in Log Message: --- Merge pull request #3346 from stgraber/master systemd: Add Documentation key Compare: https://github.com/lxc/lxc/compare/955ec68d768d...5f2ed0c09f99 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 46340c: start: remove unnecessary check for valid cgroup_ops
Branch: refs/heads/stable-4.0 Home: https://github.com/lxc/lxc Commit: 46340ce2f1c261a26d8598637fa41dbd58d339dc https://github.com/lxc/lxc/commit/46340ce2f1c261a26d8598637fa41dbd58d339dc Author: Christian Brauner Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M src/lxc/start.c Log Message: --- start: remove unnecessary check for valid cgroup_ops Signed-off-by: Christian Brauner Commit: 5697d2c6d5863eff231f0a2cb31e5595c70f6471 https://github.com/lxc/lxc/commit/5697d2c6d5863eff231f0a2cb31e5595c70f6471 Author: Wolfgang Bumiller Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M config/init/systemd/lxc.service.in Log Message: --- init: add ExecReload to lxc.service to only reload profiles Signed-off-by: Wolfgang Bumiller Commit: 4e43c4fb1040a13c8ae9293b0cc12cb66e28be47 https://github.com/lxc/lxc/commit/4e43c4fb1040a13c8ae9293b0cc12cb66e28be47 Author: Wolfgang Bumiller Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M src/lxc/lsm/apparmor.c Log Message: --- apparmor: generate ro,bind,remount rule list and update to changes based on lxd Signed-off-by: Wolfgang Bumiller Commit: e6c5d2e494dd6b6c9c201dcca35f748df721d861 https://github.com/lxc/lxc/commit/e6c5d2e494dd6b6c9c201dcca35f748df721d861 Author: Christian Brauner Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M coccinelle/Makefile.am Log Message: --- autotools: don't install run-coccinelle.sh Signed-off-by: Christian Brauner Commit: fa7132aef6c34d30af81e987fbc751ad637932e0 https://github.com/lxc/lxc/commit/fa7132aef6c34d30af81e987fbc751ad637932e0 Author: Stéphane Graber Date: 2020-04-01 (Wed, 01 Apr 2020) Changed paths: M config/init/systemd/lxc-net.service.in Log Message: --- systemd: Add Documentation key Signed-off-by: Stéphane Graber Compare: https://github.com/lxc/lxc/compare/179e2bf8e052...fa7132aef6c3 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Canceled: lxc/lxc#7520 (master - 955ec68)
Build Update for lxc/lxc - Build: #7520 Status: Canceled Duration: 2 mins and 20 secs Commit: 955ec68 (master) Author: Stéphane Graber Message: Merge pull request #3345 from brauner/2020-03-30/fixes fixes View the changeset: https://github.com/lxc/lxc/compare/632dd634f98e...955ec68d768d View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/669883530?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Errored: lxc/lxc#7522 (master - 5f2ed0c)
Build Update for lxc/lxc - Build: #7522 Status: Errored Duration: 35 mins and 57 secs Commit: 5f2ed0c (master) Author: Christian Brauner Message: Merge pull request #3346 from stgraber/master systemd: Add Documentation key View the changeset: https://github.com/lxc/lxc/compare/955ec68d768d...5f2ed0c09f99 View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/669885663?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Properly handle sockets with multiple dies (and cores per die)
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7120
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From b2a78785e0957567f2e58f0d7d241fd0a7e7d7ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Wed, 1 Apr 2020 20:22:08 -0400
Subject: [PATCH 1/2] api: resources_cpu_core_die
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
doc/api-extensions.md | 3 +++
shared/api/resource.go | 3 +++
shared/version/api.go | 1 +
3 files changed, 7 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 5e853325ca..9274f246b4 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -1005,3 +1005,6 @@ This adds USB and PCI devices to the output of
`/1.0/resources`.
This indicates that the numa_node field is now recorded per-thread
rather than per core as some hardware apparently puts threads in
different NUMA domains.
+
+## resources\_cpu\_core\_die
+Exposes the die_id information on each core.
diff --git a/shared/api/resource.go b/shared/api/resource.go
index 13dc33ea33..8cd2fc0dc4 100644
--- a/shared/api/resource.go
+++ b/shared/api/resource.go
@@ -56,6 +56,9 @@ type ResourcesCPUCache struct {
type ResourcesCPUCore struct {
Core uint64 `json:"core" yaml:"core"`
+ // API extension: resources_cpu_core_die
+ Die uint64 `json:"die" yaml:"die"`
+
Threads []ResourcesCPUThread `json:"threads" yaml:"threads"`
Frequency uint64 `json:"frequency,omitempty" yaml:"frequency,omitempty"`
diff --git a/shared/version/api.go b/shared/version/api.go
index de6cd7e6a6..04f131cc3a 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -203,6 +203,7 @@ var APIExtensions = []string{
"container_nic_ipvlan_gateway",
"resources_usb_pci",
"resources_cpu_threads_numa",
+ "resources_cpu_core_die",
}
// APIExtensionsCount returns the number of available API extensions.
From abd99d0df9c4211e3c379c72f592b37ca8b65bac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Wed, 1 Apr 2020 20:22:28 -0400
Subject: [PATCH 2/2] lxd/resources: Parse and report die_id
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
lxd/resources/cpu.go | 26 --
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/lxd/resources/cpu.go b/lxd/resources/cpu.go
index f516e9a230..52c5975c0b 100644
--- a/lxd/resources/cpu.go
+++ b/lxd/resources/cpu.go
@@ -89,7 +89,7 @@ func GetCPU() (*api.ResourcesCPU, error) {
// Temporary storage
cpuSockets := map[uint64]*api.ResourcesCPUSocket{}
- cpuCores := map[uint64]map[uint64]*api.ResourcesCPUCore{}
+ cpuCores := map[uint64]map[string]*api.ResourcesCPUCore{}
// Open cpuinfo
f, err := os.Open("/proc/cpuinfo")
@@ -118,15 +118,25 @@ func GetCPU() (*api.ResourcesCPU, error) {
// Get topology
cpuSocket, err := readUint(filepath.Join(entryPath, "topology",
"physical_package_id"))
- if err != nil {
+ if err != nil && !os.IsNotExist(err) {
return nil, errors.Wrapf(err, "Failed to read \"%s\"",
filepath.Join(entryPath, "topology", "physical_package_id"))
}
cpuCore, err := readUint(filepath.Join(entryPath, "topology",
"core_id"))
- if err != nil {
+ if err != nil && !os.IsNotExist(err) {
return nil, errors.Wrapf(err, "Failed to read \"%s\"",
filepath.Join(entryPath, "topology", "core_id"))
}
+ cpuDie, err := readInt(filepath.Join(entryPath, "topology",
"die_id"))
+ if err != nil && !os.IsNotExist(err) {
+ return nil, errors.Wrapf(err, "Failed to read \"%s\"",
filepath.Join(entryPath, "topology", "die_id"))
+ }
+
+ if cpuDie == -1 {
+ // Architectures without support for die_id report -1,
make that die 0 instead.
+ cpuDie = 0
+ }
+
// Grab socket data if needed
resSocket, ok := cpuSockets[cpuSocket]
if !ok {
@@ -233,17 +243,21 @@ func GetCPU() (*api.ResourcesCPU, error) {
// Record the data
cpuSockets[cpuSocket] = resSocket
- cpuCores[cpuSocket] = map[uint64]*api.ResourcesCPUCore{}
+ cpuCores[cpuSocket] = map[string]*api.ResourcesCPUCore{}
}
// Grab core data if needed
- resCore, ok := cpuCores[cpuSocket][cpuCore]
+ coreIndex := fmt
