: Serge Hallyn
Date: 2020-05-15 (Fri, 15 May 2020)
Changed paths:
M configure.ac
M src/include/fexecve.c
M src/lxc/Makefile.am
M src/lxc/af_unix.c
M src/lxc/attach.c
M src/lxc/cgroups/cgfsng.c
M src/lxc/cmd/lxc_init.c
M src/lxc/cmd/lxc_monitord.c
M src/lxc/cmd
pidfds.
Signed-off-by: Christian Brauner
Commit: f036cc8a2c6ace70ea8086e5f34881ebadf105f1
https://github.com/lxc/lxc/commit/f036cc8a2c6ace70ea8086e5f34881ebadf105f1
Author: Serge Hallyn
Date: 2020-01-08 (Wed, 08 Jan 2020)
Changed paths:
M src/lxc/start.c
M src/lxc
://github.com/lxc/lxc/commit/83bac1bf25ea1233f1900d925942800268a376d1
Author: Serge Hallyn
Date: 2019-10-04 (Fri, 04 Oct 2019)
Changed paths:
M doc/lxc.container.conf.sgml.in
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/confile.c
M src/tests/parse_config_file.c
Log Message
that idea.
Suggested-by: Jann Horn
Signed-off-by: Christian Brauner
Commit: 345a21ca9ec1b736208611f4bec7e24097ce279b
https://github.com/lxc/lxc/commit/345a21ca9ec1b736208611f4bec7e24097ce279b
Author: Serge Hallyn
Date: 2019-10-04 (Fri, 04 Oct 2019)
Changed paths:
M src/lxc/sta
/start.c
Log Message:
---
start: pidfds obviously start - like any fd - at 0
Signed-off-by: Christian Brauner
Commit: 1d24b87a1a12979a27cd0416211c229635ab1a5f
https://github.com/lxc/lxc/commit/1d24b87a1a12979a27cd0416211c229635ab1a5f
Author: Serge Hallyn
Date: 2019
commit 8de90384363fe01f5258d36724dd3eae55918b5b
Signed-off-by: KATOH Yasufumi
Commit: 505af6af91fa93af27e5990a9cc4ea5b417f7811
https://github.com/lxc/lxc/commit/505af6af91fa93af27e5990a9cc4ea5b417f7811
Author: Serge Hallyn
Date: 2019-06-18 (Tue, 18 Jun 2019)
Changed paths:
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: fa2bb6ba532c5e7f92df8cbae50a68af519f9997
https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
Author: Serge Hallyn
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M configure.ac
: remove fgets() from setproctitle()
Signed-off-by: Christian Brauner
Commit: fff69e468f320049bb53cac665fc50c46613800c
https://github.com/lxc/lxc/commit/fff69e468f320049bb53cac665fc50c46613800c
Author: Serge Hallyn
Date: 2019-03-04 (Mon, 04 Mar 2019)
Changed paths:
M src/lxc
: Serge Hallyn
Date: 2019-02-08 (Fri, 08 Feb 2019)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/memory_utils.h
Log Message:
---
Merge pull request #2827 from brauner/2019-02-07/auto_cleanup
cgroups: partially switch to cleanup macros
Compare: https
Hi everyone,
Since the start, lxc container startup hooks have gotten some redundant
information as command line arguments, which is also available as environment
variables.
Is anyone making use of that? I'm wondering whether any existing installations
would have broken scripts if we get rid
I really don’t know what happened to that patch, sorry about that. I’ve
proposed it now as pull request #1717 into master.
Thanks,
-serge
> On Jul 28, 2017, at 4:13 AM, Harald Dunkel wrote:
>
> PS:
>
> On Thu, 27 Jul 2017 08:45:49 -0500
> "Serge E. Hallyn"
I see the patch in my archives now. I’ll get it pushed. Thanks.
Serge
> On Jul 28, 2017, at 4:13 AM, Harald Dunkel wrote:
>
> PS:
>
> On Thu, 27 Jul 2017 08:45:49 -0500
> "Serge E. Hallyn" wrote:
>
>>
>> It looks like these were done by commit
I'm sure I'm just being dense. Can you point to your fix? I'll follow up.
Serge
Original Message
From: Harald Dunkel
Sent: Friday, July 28, 2017 5:13 AM
To: Serge E. Hallyn
Cc: LXC development mailing-list
Subject: Re: [lxc-devel] lxc-create: file-based capabilities are lost
PS:
On Thu, 27
Hi,
Sounds like a bug in the intersection of lxcfs and the kernel. So you
could open an issue at github.com/lxc/lxcfs and append the config file
and other info there. Then (bc not many ppl look there I think) you
can link to that issue in a reply in this thread (where a lot more ppl
look).
Quoting Leonid Isaev (leonid.is...@jila.colorado.edu):
> gcc -Wall warns about uninitialized variables (-Wmaybe-uninitialized), and
> -Werror makes it fatal. This change allows the build to succeed by NULL'ifying
> the pointer passed to strtok_r().
>
> Note that strtok_r(3) anyway ignores a
(a) if name=systemd is not mounted then
we won't hit that, and (b) if name=systemd is mounted, then we'd
really still like to set it up for containers.
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
src/lxc/cgfsng.c | 9 ++---
src/lxc/cgroup.c | 7 ++-
2 files chan
Quoting Mathias Gibbens (math...@calenhad.com):
> On Tue, 2016-04-05 at 16:45 +, Mathias Gibbens wrote:
> > On Tue, 2016-04-05 at 14:59 +0000, Serge Hallyn wrote:
> > > Quoting Mathias Gibbens (math...@calenhad.com):
> > > > On Sat, 2016-04-02 at 1
Quoting Mathias Gibbens (math...@calenhad.com):
> This evening I upgraded my lxc/lxcfs install, seeing as how lxcfs
> 2.0.0 was tagged earlier today. However, with the current lxcfs (2.0.0)
> my unprivileged containers fail to start:
>
> > lxc@narya:~$ lxc-start -F -n aule.calenhad.com
> >
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The open_without_symlink routine has been specifically created to prevent
> mounts with synlinks as source or destination. Keep SYSERROR'ing in that
> particular scenario, but leave error handling to calling functions for the
> other ones -
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
>
> On 3/11/2016 3:07 PM, Serge Hallyn wrote:
> >Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >>On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> >>>Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
>
> On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> >Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >>Hi,
> >>
> >>This question might not be specific to lxc/lxd but containers in
> >>general, I
Quoting brian mullan (bmullan.m...@gmail.com):
> I've been curious about this for some time now but in one of serge hallyn's
> past posts
> (https://insights.ubuntu.com/2015/06/30/publishing-lxd-images/) he'd
> mentioned:
>
>
>
>
>
> *> Importantly, because “–public” was passed to the lxc
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> Hi,
>
> This question might not be specific to lxc/lxd but containers in
> general, I hope that is okay.
> I have a process created using clone with the following flags
> (CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUSER).
> The process then try to mount
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On Mon, Feb 01, 2016 at 12:43:21PM +0100, Stéphane Graber wrote:
> > Hello,
> >
> > For a long time, Serge and I have been preferring LXC contributions to
> > be sent through the mailing-list kernel-style.
> >
> > This has been working reasonably
Quoting Tamas Papp (tom...@martos.bme.hu):
> hi All,
>
>
> IMO 10.0.3.0/24 is way too general to be default.
> It would be better, more suitable, less problematic with less
> conflicts if it would be something like 10.251.78.0/24 or
> 172.31.251.0/24.
>
>
> And if there is any change, that
Quoting Alban Crequy (alban.cre...@gmail.com):
> Hi,
>
> On 29 January 2016 at 09:54, wrote:
> > Hi,
> >
> > following is a revised set of the CGroup Namespace patchset which Aditya
> > Kali has previously sent. The code can also be found in the cgroupns.v10
> > branch
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> On Mon, Feb 15, 2016 at 07:48:05PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > On Wed, Feb 10, 2016 at 05:45:48PM +, Serge Hallyn wrote:
> > >
Quoting Fabian Grünbichler (f.gruenbich...@proxmox.com):
>
> > Fabian Grünbichler hat am 12. Februar 2016 um
> > 13:53 geschrieben:
> >
> > Summary so far: uptime, ps and any other process accessing /proc/uptime
> > within
> > a
> > container using lxcfs can pretty
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Wed, Feb 10, 2016 at 05:45:48PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > On Mon, Feb 01, 2016 at 04:56:08AM +, Serge Hallyn wrote:
> > > &
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Mon, Feb 01, 2016 at 04:56:08AM +0000, Serge Hallyn wrote:
> > Quoting Kevin Wilson (wkev...@gmail.com):
> > > Hi, LXC developers,
> > >
> > > The latest kernel release (4.4) includes initi
Quoting Bussery, Francois (francois.buss...@arris.com):
> Hi,
> I have noticed that recent LXC are remounting SLAVE all SHARED mount points.
> Is there any real reason for that? Is there any way to workaround this
> “feature” by any configuration files.
> In embedded world, it is really common
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Wed, Feb 03, 2016 at 04:49:04PM +0200, Kevin Wilson wrote:
> > Hi,
> >
> > When I create an lxc container and run a simple process (which all it
> > does is call pause()),
> > I see the pid of this process also in the host (Simply by
Quoting Kevin Wilson (wkev...@gmail.com):
> Hi, LXC developers,
>
> The latest kernel release (4.4) includes initial support to cgroup v2
> with 2 controllers (memory and io). Also it seems that the PIDs
> controller works in cgroup v2, but I do not know if it is officially
> supported in v2.
>
From: Serge Hallyn <serge.hal...@ubuntu.com>
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed
;
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
---
Changelog: 2015-11-24
- move cgroup_namespace.c into cgroup.c (and .h)
- reformatting
- make get_cgroup_ns return void
- rename ns->root_cgrps to root_cset.
Changelog: 2015-12-08
- Move in
From: Serge Hallyn <serge.hal...@ubuntu.com>
Signed-off-by: Aditya Kali <adityak...@google.com>
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
Signed-off-by: Tejun Heo <t...@kernel.org>
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog
From: Aditya Kali <adityak...@google.com>
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali <adityak...@google.com>
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
---
include/uapi/linux/sched.h |3 +--
1 file changed,
() while creating new cgroupns
- use task_lock() instead of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not chan
From: Serge Hallyn <serge.hal...@ubuntu.com>
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
So on this free_mnts() thing. If you (as this patch makes it look
like you were risking) run it twice, you'll presumably crash. The
callers always pass in the same
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> Slipped my attention before unfortunately.
> ---
> src/lxc/lxc_ls.c | 11 ++-
> 1 file changed, 6
Quoting Stéphane Graber (stgra...@ubuntu.com):
> > diff --git a/src/lxc/network.c b/src/lxc/network.c
> > index 3417928..49633ab 100644
> > --- a/src/lxc/network.c
> > +++ b/src/lxc/network.c
> > @@ -36,6 +36,7 @@
> > #include
> > #include
> > #include
> > +#include
>
> Where is that
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Do it in a safe way by using strstr() to check for the substring ":/" should
> ':' be part of a pathname.
>
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
>
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Explain that multiple /lower layers can be used.
>
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> doc/lxc.container.conf.sgml.in | 4 +++-
> 1 file
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> Built over https://github.com/tssge/lxcfs/commit/50b75e3
>
> Example Output:
>
> [root@lxc-dev ~]# lxc-attach -n ubuntuwily -- /bin/cat /proc/swaps
> FilenameTypeSizeUsed
> Priority
> none
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> In the Python implementation users could pass a regex without a parameter flag
> as additional argument on the command line. The C implementation gained the
> flag -r/--regex for this. To not irritate users we restore the old behaviour
>
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount function was introduced in order to address CVE-2015-1335,
> one of the vulnerabilities being a mount with a symlink for the
> destination path. In scenarios such as lxc-execute with no rootfs, the
> destination path is the
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - With the -g/--groups argument the user can give a comma-separated list of
> groups MUST a container must have in order to be displayed. We receive
> this list as a single string. ls_has_all_grps() is called to check if a
>
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Do it in a safe way by using strstr() to check for the substring ":/" should
> ':' be part of a pathname. This should be a safer implementation than the one
> originally suggested in #547.
>
> Signed-off-by: Christian Brauner
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - remove unused argument from ls_get()
> - Fix ls_has_all_groups() but leave the inefficient basic algorithm untouched
> for now. (Will be fixed in a dedicated commit.)
> - insert missing ;
>
> Signed-off-by: Christian Brauner
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >=
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >=
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> On Mon, Jan 18, 2016 at 11:18:32PM +0000, Serge Hallyn wrote:
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > --- a/src/lxc/lxccontainer.h
> > > +++ b/src/lxc/lxccontainer.h
> > > @@ -2
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - explain new -r,--regex flag
> - explain new numeric argument to --nesting
> - include common options as lxc-ls now uses the standard lxc parser
> - add history section and update authors
>
> Signed-off-by: Christian Brauner
Quoting Christian Brauner (christian.brau...@mailbox.org):
> - If lxc_container_new() fails we check for ENOMEM and if so goto out. If
> ENOMEM is not set we will simply continue. The same goes for the call to
> regcomp() but instead of checking for ENOMEM we need to check for
> REG_ESPACE.
>
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> Add the possibility to start a container in a frozen state.
>
> Signed-off-by: Wolfgang Bumiller
> ---
> doc/lxc-start.sgml.in | 12
> src/lxc/arguments.h| 3 +++
> src/lxc/conf.h | 1 +
>
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> They change a value and return true on success rather than
> fetching the value as the comments previously suggested.
>
> Signed-off-by: Wolfgang Bumiller
Yikes, yes the return value description is entirely wrong.
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> I am using the most recent version of lxcfs, commit:
> 17f9a5a9d647467e3858fa751e40cc7c022dd475
>
> When I spawn a container with the settings...
>
> lxc.cgroup.memory.limit_in_bytes = 256M
> lxc.cgroup.memory.memsw.limit_in_bytes = 512M
>
> ...
Quoting Christian Brauner (christian.brau...@mailbox.org):
> If lxc_container_new() fails we check for ENOMEN and goto out if ENOMEM is not
> set we will simply continue. The same goes for the call to regcomp() but
> instead of checking for ENOMEM we need to check for REG_ESPACE.
>
> Tweaking:
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Otherwise users will always get nested containers listed.
>
> Signed-off-by: Christian Brauner
I'd actually looked for that and somehow missed it.
Acked-by: Serge E. Hallyn
>
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Fri, Jan 15, 2016 at 08:40:19PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > If lxc_container_new() fails we check for ENOMEN and goto out if ENOMEM
> &g
Quoting Christian Brauner (christian.brau...@mailbox.org):
> If lxc_container_new() fails we check for ENOMEM and if so goto out. If ENOMEM
> is not set we will simply continue. The same goes for the call to regcomp()
> but
> instead of checking for ENOMEM we need to check for REG_ESPACE.
>
>
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> On Wed, Jan 13, 2016 at 09:47:50PM +0000, Serge Hallyn wrote:
> > Quoting Tycho Andersen (tycho.ander...@canonical.com):
> > > 1. remember to chown the cgroup path when migrating a container
> > > 2. when res
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> The following patch fixes memory alignment and endianness
> issue while doing a snapshot deletion with btrfs as a
> backing store on platform such as sparc.
>
> The implementation is taken from btrfs-progs.
>
> Changes since v1:
> - include
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> doc/see_also.sgml.in | 5 +
> 1 file changed, 5 insertions(+)
>
> diff --git a/doc/see_also.sgml.in
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Check if we're really on a btrfs filesystem before we call btrfs_same_fs().
> Otherwise we will report misleading errors although everything went fine.
>
> Signed-off-by: Christian Brauner
Acked-by:
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> On 14.01.2016 01:09, Serge Hallyn wrote:
> > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> >> On 11.01.2016 20:59, Serge Hallyn wrote:
> >>> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
&
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> On Thu, Jan 14, 2016 at 09:28:07AM +0000, Serge Hallyn wrote:
> > Quoting Tycho Andersen (tycho.ander...@canonical.com):
> > > On Wed, Jan 13, 2016 at 09:47:50PM +, Serge Hallyn wrote:
> > > > Quoti
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> The following patch fixes memory alignment and endianness
> issue while doing a snapshot deletion with btrfs as a
> backing store on platform such as sparc.
>
> The implementation is taken from btrfs-progs.
Hi,
thanks, this looks nice. I'm
lxcpath's const-ness. Technically we are
guaranteed that execvp won't change the args, but it's worth
it to silence the warnings (and not hide real errors).
With this patch, container nics are cleaned up from openvswitch
bridges on shutdown.
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.
Quoting Wim Coekaerts (wim.coekae...@oracle.com):
> On 1/13/16 1:50 PM, Serge Hallyn wrote:
> >Quoting Tycho Andersen (tycho.ander...@canonical.com):
> >>Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com>
> >Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> Signed-off-by: Tycho Andersen
Acked-by: Serge E. Hallyn
> ---
> .gitignore | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/.gitignore b/.gitignore
> index 5e4912c..58e5dea
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> No reason for these to be +x, and it looks weird.
>
> Signed-off-by: Tycho Andersen
But it makes them a pretty green color in my terminal.
Acked-by: Serge E. Hallyn
> ---
>
Quoting Christian Brauner (christian.brau...@mailbox.org):
> As ls_get() is non-tail recursive we face the inherent danger of blowing up
> the
> stack at some level of nesting. To have at least some security we define
> MAX_NESTLVL to be 5. That should be sufficient for most users. The argument
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> On 11.01.2016 20:59, Serge Hallyn wrote:
> > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> >> The safe_mount primitive will mount the fs in the new container
> >> environment by using file descriptor
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount primitive will mount the fs in the new container
> environment by using file descriptors referred in /proc/self/fd.
> However, when the mounted filesystem is proc itself, it will have
> been previously unmounted, therefore
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
>
> > On January 8, 2016 at 2:55 AM Serge Hallyn <serge.hal...@ubuntu.com> wrote:
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
>
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> In the current implementation, the open_without_symlink function
> will default to opening the root mount only if the passed rootfs
> prefix is null. It doesn't account for the case where this prefix
> is passed as an empty string.
>
>
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount primitive will mount the fs in the new container
> environment by using file descriptors referred in /proc/self/fd.
> However, when the mounted filesystem is proc itself, it will have
> been previously unmounted, therefore
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> When running application containers with lxc-execute, /dev is
> populated only with device entries. Since /dev is a tmpfs mount in
> the container environment, the /dev/shm folder not being present is not
> a sufficient reason for the
t; this?
>
> Mathias
>
> On Fri, 2016-01-08 at 20:10 +, Serge Hallyn wrote:
> > > From 24e98d74ca279ed2dc8e5a025add5a00737ba952 Mon Sep 17 00:00:00
> > 2001
> > > From: Wolfgang Bumiller <w.bumil...@proxmox.com>
> > > Date: Fri, 8 Jan 2016 1
gt; > wrote:
> > >
> > >
> > >
> > > > On January 7, 2016 at 8:20 PM Serge Hallyn <serge.hal...@ubuntu.com>
> > > > wrote:
> > > > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > > > >
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >=
Thanks, I'll push a new 0.16 release tonight.
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> If the first realloc() call fails then 'd' becomes NULL,
> subsequent realloc() retries will behave like malloc() and
> the the original src pointer is never freed. Further more
> the newly allocated data then contains uninitialized data
>
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> The initial check should use real lengths as with modulo a
> new required length of eg. 52 would be considered smaller
> than an old length of 48 (2 < 48).
>
> To get the 'batches' count 'newlen' must be divided and not
> taken modulo
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
>
> > On January 7, 2016 at 7:42 PM Serge Hallyn <serge.hal...@ubuntu.com> wrote:
> >
> >
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > The initial check should use real lengths as wit
;
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
---
Changelog: 2015-11-24
- move cgroup_namespace.c into cgroup.c (and .h)
- reformatting
- make get_cgroup_ns return void
- rename ns->root_cgrps to root_cset.
Changelog: 2015-12-08
- Move in
From: Serge Hallyn <serge.hal...@ubuntu.com>
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed
From: Aditya Kali <adityak...@google.com>
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali <adityak...@google.com>
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
---
include/uapi/linux/sched.h |3 +--
1 file changed,
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the
From: Serge Hallyn <serge.hal...@ubuntu.com>
Signed-off-by: Aditya Kali <adityak...@google.com>
Signed-off-by: Serge Hallyn <serge.hal...@canonical.com>
Signed-off-by: Tejun Heo <t...@kernel.org>
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
From: Serge Hallyn <serge.hal...@ubuntu.com>
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace
of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not changed since then.
Changes from V1:
1. No pinning of processes within cgrou
Closes #1459
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
src/lxc/lsm/apparmor.c | 38 +++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d78bd7a..39324ce 100644
--- a/s
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Quoting wim.coekae...@oracle.com (wim.coekae...@oracle.com):
> From: Wim Coekaerts
>
> nlmsg_reserve() might return NULL
>
> if (nlmsg_len + tlen > nlmsg->cap)
> return NULL;
>
> Also set err = -ENOMEM where appropriate
>
> Signed-off-by: Wim
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> and continue without them if possible
>
> This patch only handles cgmanger - we need to handle this in cgfs too.
>
> Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
> ---
>
1 - 100 of 1209 matches
Mail list logo