On Wed, Nov 4, 2009 at 6:02 AM, Daniel P. Berrange berra...@redhat.com wrote:
On Tue, Nov 03, 2009 at 12:23:26AM +0900, Ryota Ozaki wrote:
Note that this patch is not mature yet and still proof-
of-concept prototype, although it actually works.
Current implementation of lxc driver creates
On Wed, Nov 04, 2009 at 09:46:01PM +0900, Ryota Ozaki wrote:
On Wed, Nov 4, 2009 at 6:02 AM, Daniel P. Berrange berra...@redhat.com
wrote:
On Tue, Nov 03, 2009 at 12:23:26AM +0900, Ryota Ozaki wrote:
Note that this patch is not mature yet and still proof-
of-concept prototype, although it
On Wed, Nov 4, 2009 at 9:49 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Wed, Nov 04, 2009 at 09:46:01PM +0900, Ryota Ozaki wrote:
On Wed, Nov 4, 2009 at 6:02 AM, Daniel P. Berrange berra...@redhat.com
wrote:
On Tue, Nov 03, 2009 at 12:23:26AM +0900, Ryota Ozaki wrote:
Note that
On Tue, Nov 03, 2009 at 12:23:26AM +0900, Ryota Ozaki wrote:
Note that this patch is not mature yet and still proof-
of-concept prototype, although it actually works.
Current implementation of lxc driver creates vethN named
interface(s) in the host and passes as it is to a container.
The
Note that this patch is not mature yet and still proof-
of-concept prototype, although it actually works.
Current implementation of lxc driver creates vethN named
interface(s) in the host and passes as it is to a container.
The reason why it doesn't use ethN is due to the limitation
that one
My previous change to LXC container capabilties setup has a fairly stupid
bug in it. The container init process starts off with no capabilities
whatsoever :-( This was caused by a bogus capng_lock() call which meant
that all capabilities were cleared when the init process was exec'd.
The
On Wed, Jul 08, 2009 at 01:12:59PM +0100, Daniel P. Berrange wrote:
My previous change to LXC container capabilties setup has a fairly stupid
bug in it. The container init process starts off with no capabilities
whatsoever :-( This was caused by a bogus capng_lock() call which meant
that all
On Fri, May 08, 2009 at 12:43:19PM +0900, Ryota Ozaki wrote:
Hi Serge,
On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting
On Wed, May 20, 2009 at 12:27:58AM +0900, Ryota Ozaki wrote:
Apologies for not responding. I've come down with a cold
(not flu) for several days...
On Tue, May 19, 2009 at 10:34 PM, Daniel Veillard veill...@redhat.com wrote:
[...]
Just to make sure, this is not ready, right ?
We freeze
On Mon, May 11, 2009 at 06:01:07PM +0900, Ryota Ozaki wrote:
Hi,
I've updated the patch. The change includes support for multiple mount
points of cgroups that I didn't cope with in the previous patch.
Through the work, I found a bit messy problem. Current lxc controller writes
pid in a
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
I've updated the patch. The change includes support for multiple mount
points of cgroups that I didn't cope with in the previous patch.
Through the work, I found a bit messy problem. Current lxc controller writes
pid in a 'tasks' file multiple
Hi,
On Mon, May 11, 2009 at 10:26 AM, Ryota Ozaki ozaki.ry...@gmail.com wrote:
Hi,
On Sun, May 10, 2009 at 8:49 AM, Ryota Ozaki ozaki.ry...@gmail.com wrote:
Hi Serge and Daniel,
On Sat, May 9, 2009 at 4:03 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Daniel P. Berrange
On Fri, May 08, 2009 at 09:04:35AM +0900, Ryota Ozaki wrote:
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in the bounding set of the init processes in every containers.
Note
Hi,
I needed to apply the following two small changes to get it compile.
On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
a linux/capability.h header as part of the linux-libc-dev package.
The second change makes the code compile with -Werror, because vmDef
is not used in
Daniel Veillard wrote:
On Fri, May 08, 2009 at 09:04:35AM +0900, Ryota Ozaki wrote:
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in the bounding set of the init processes in
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
Hi,
I needed to apply the following two small changes to get it compile.
On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
a linux/capability.h header as part of the linux-libc-dev package.
That is
2009/5/11 Daniel P. Berrange berra...@redhat.com:
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
Hi,
I needed to apply the following two small changes to get it compile.
On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
a linux/capability.h header as
Matthias Bolte wrote:
2009/5/11 Daniel P. Berrange berra...@redhat.com:
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
Hi,
I needed to apply the following two small changes to get it compile.
On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
a
On Mon, May 11, 2009 at 12:37:25PM -0400, Dave Allan wrote:
Matthias Bolte wrote:
2009/5/11 Daniel P. Berrange berra...@redhat.com:
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
Hi,
I needed to apply the following two small changes to get it compile.
On my system
On Mon, May 11, 2009 at 05:22:15PM +0100, Daniel P. Berrange wrote:
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
Hi,
I needed to apply the following two small changes to get it compile.
On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
a
Hi,
On Sun, May 10, 2009 at 8:49 AM, Ryota Ozaki ozaki.ry...@gmail.com wrote:
Hi Serge and Daniel,
On Sat, May 9, 2009 at 4:03 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Daniel P. Berrange (berra...@redhat.com):
On Fri, May 08, 2009 at 08:34:12AM -0500, Serge E. Hallyn wrote:
Hi Serge and Daniel,
On Sat, May 9, 2009 at 4:03 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Daniel P. Berrange (berra...@redhat.com):
On Fri, May 08, 2009 at 08:34:12AM -0500, Serge E. Hallyn wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009
Hi Serge,
On Fri, May 8, 2009 at 11:48 AM, Serge E. Hallyn se...@us.ibm.com wrote:
IIUC, the real problem is that src/cgroup.c assumes that the
cgroup name should be $CGROUP_MOUNTPOINT/groupname. But of
course if the ns cgroup is enabled, then the unshare(CLONE_NEWNS)
to create a new
On Fri, May 08, 2009 at 09:04:35AM +0900, Ryota Ozaki wrote:
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in the bounding set of the init processes in every containers.
Note
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 11:48 AM, Serge E. Hallyn se...@us.ibm.com wrote:
IIUC, the real problem is that src/cgroup.c assumes that the
cgroup name should be $CGROUP_MOUNTPOINT/groupname. But of
course if the ns cgroup is enabled,
Quoting Daniel P. Berrange (berra...@redhat.com):
On Fri, May 08, 2009 at 08:34:12AM -0500, Serge E. Hallyn wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 11:48 AM, Serge E. Hallyn se...@us.ibm.com wrote:
IIUC, the real problem is that
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in the bounding set of the init processes in every containers.
Note that the patch intends to make it easy to add further capabilities
Hi,
lxc does not work if ns cgroups subsystem is enabled because
of two factors; one is that ns has a special rule to create
a group[*] unlike other subsystems and the other is lxc
controller creates a new namespace for /dev/pts prior to
create a new group for a domain. Unfortunately the new
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in the bounding set of the init processes in every containers.
Note that the patch
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi,
Current lxc driver unexpectedly allows users inside containers to reboot
host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
capability in
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi,
...
+ for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) {
+ if (prctl(PR_CAPBSET_DROP, caps[i].id, 0,
IIUC, the real problem is that src/cgroup.c assumes that the
cgroup name should be $CGROUP_MOUNTPOINT/groupname. But of
course if the ns cgroup is enabled, then the unshare(CLONE_NEWNS)
to create a new namespace in which to mount the new devpts
locks the driver under
Hi Serge,
On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Ryota Ozaki (ozaki.ry...@gmail.com):
Hi,
...
+ for (i = 0 ; i
On Fri, Apr 17, 2009 at 09:39:19AM -0500, Serge E. Hallyn wrote:
Quoting Daniel P. Berrange (berra...@redhat.com):
Calling unshare(CLONE_NEWNS) will not prevent the host OS from
seeing the new /dev/pts if / was MS_SHARED. That isn't taken
care of anywhere else for this process's
Quoting Daniel P. Berrange (berra...@redhat.com):
This patch attached now just makes it MS_SLAVE. There's no need for the
extra SHARED flag, since the only process libvirt_lxc spawns is the 'init'
process inside the container and that immediately makes its own root
private.
Thanks, this
On Wed, Apr 15, 2009 at 01:55:18PM -0500, Serge E. Hallyn wrote:
...
Index: src/lxc_container.c
===
...
This all looks good, though I haven't tested it yet.
+/*
+ * If doing a chroot style setup, we need to
From 7ebf401c747b61b44bdba0aebc85fbead7ec1d12 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin mar...@redhat.com
Date: Thu, 16 Apr 2009 11:36:41 +0100
Subject:
Fixes:
CHECK: avoid_if_before_free
src/lxc_container.c: if (oldroot) VIR_FREE(oldroot)
src/lxc_container.c: if (newroot)
for
the 'newinstance' flag with devpts, it'll just use a regular shared
instance. If this happens, then /var/log/libvirt/lxc/$NAME.log
should warn you
16:55:00.454: warning : kernel does not support private devpts, using shared
devpts
Also the previous patch to pivot_root() setup added a chroot
Quoting Daniel P. Berrange (berra...@redhat.com):
This change seemed to fix that problem with no ill-effects.
-if (chroot(oldroot) 0) {
-virReportSystemError(NULL, errno, %s,
- _(failed to chroot into tmpfs));
-goto err;
-}
-
-if
I've been working on getting LXC ready to use the common XML routines. One
of the first tasks is finding a way to remove some of the state stored in
the lxc_vm_t struct, so it can be switched over to virDomainObj struct
instead. This patch does some simple re-factoring of the way the TTYs and
DB I've been working on getting LXC ready to use the common XML
DB routines. One of the first tasks is finding a way to remove some
DB of the state stored in the lxc_vm_t struct, so it can be switched
DB over to virDomainObj struct instead. This patch does some simple
DB re-factoring of the way
201 - 241 of 241 matches
Mail list logo