: Serge Hallyn
Date: 2020-05-15 (Fri, 15 May 2020)
Changed paths:
M configure.ac
M src/include/fexecve.c
M src/lxc/Makefile.am
M src/lxc/af_unix.c
M src/lxc/attach.c
M src/lxc/cgroups/cgfsng.c
M src/lxc/cmd/lxc_init.c
M src/lxc/cmd/lxc_monitord.c
M src/lxc/cmd
anon-inode pidfds.
Signed-off-by: Christian Brauner
Commit: f036cc8a2c6ace70ea8086e5f34881ebadf105f1
https://github.com/lxc/lxc/commit/f036cc8a2c6ace70ea8086e5f34881ebadf105f1
Author: Serge Hallyn
Date: 2020-01-08 (Wed, 08 Jan 2020)
Changed paths:
M src/lxc/start.c
://github.com/lxc/lxc/commit/83bac1bf25ea1233f1900d925942800268a376d1
Author: Serge Hallyn
Date: 2019-10-04 (Fri, 04 Oct 2019)
Changed paths:
M doc/lxc.container.conf.sgml.in
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/confile.c
M src/tests/parse_config_file.c
Log Message
is the implementation of that idea.
Suggested-by: Jann Horn
Signed-off-by: Christian Brauner
Commit: 345a21ca9ec1b736208611f4bec7e24097ce279b
https://github.com/lxc/lxc/commit/345a21ca9ec1b736208611f4bec7e24097ce279b
Author: Serge Hallyn
Date: 2019-10-04 (Fri, 04 Oct 2019)
Changed
/start.c
Log Message:
---
start: pidfds obviously start - like any fd - at 0
Signed-off-by: Christian Brauner
Commit: 1d24b87a1a12979a27cd0416211c229635ab1a5f
https://github.com/lxc/lxc/commit/1d24b87a1a12979a27cd0416211c229635ab1a5f
Author: Serge Hallyn
Date: 2019
commit 8de90384363fe01f5258d36724dd3eae55918b5b
Signed-off-by: KATOH Yasufumi
Commit: 505af6af91fa93af27e5990a9cc4ea5b417f7811
https://github.com/lxc/lxc/commit/505af6af91fa93af27e5990a9cc4ea5b417f7811
Author: Serge Hallyn
Date: 2019-06-18 (Tue, 18 Jun 2019)
Changed paths:
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: fa2bb6ba532c5e7f92df8cbae50a68af519f9997
https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997
Author: Serge Hallyn
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M configure.ac
: remove fgets() from setproctitle()
Signed-off-by: Christian Brauner
Commit: fff69e468f320049bb53cac665fc50c46613800c
https://github.com/lxc/lxc/commit/fff69e468f320049bb53cac665fc50c46613800c
Author: Serge Hallyn
Date: 2019-03-04 (Mon, 04 Mar 2019)
Changed paths:
M src/lxc
: Serge Hallyn
Date: 2019-02-08 (Fri, 08 Feb 2019)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/memory_utils.h
Log Message:
---
Merge pull request #2827 from brauner/2019-02-07/auto_cleanup
cgroups: partially switch to cleanup macros
Compare: https
Hi everyone,
Since the start, lxc container startup hooks have gotten some redundant
information as command line arguments, which is also available as environment
variables.
Is anyone making use of that? I'm wondering whether any existing installations
would have broken scripts if we get rid
I really don’t know what happened to that patch, sorry about that. I’ve
proposed it now as pull request #1717 into master.
Thanks,
-serge
> On Jul 28, 2017, at 4:13 AM, Harald Dunkel wrote:
>
> PS:
>
> On Thu, 27 Jul 2017 08:45:49 -0500
> "Serge E. Hallyn" wrote:
>
>>
>> It looks like the
I see the patch in my archives now. I’ll get it pushed. Thanks.
Serge
> On Jul 28, 2017, at 4:13 AM, Harald Dunkel wrote:
>
> PS:
>
> On Thu, 27 Jul 2017 08:45:49 -0500
> "Serge E. Hallyn" wrote:
>
>>
>> It looks like these were done by commit
>> 44d397891e691ab994a69766cc72e57265b62da1,
I'm sure I'm just being dense. Can you point to your fix? I'll follow up.
Serge
Original Message
From: Harald Dunkel
Sent: Friday, July 28, 2017 5:13 AM
To: Serge E. Hallyn
Cc: LXC development mailing-list
Subject: Re: [lxc-devel] lxc-create: file-based capabilities are lost
PS:
On Thu, 27
Hi,
Sounds like a bug in the intersection of lxcfs and the kernel. So you
could open an issue at github.com/lxc/lxcfs and append the config file
and other info there. Then (bc not many ppl look there I think) you
can link to that issue in a reply in this thread (where a lot more ppl
look).
Than
Quoting Leonid Isaev (leonid.is...@jila.colorado.edu):
> gcc -Wall warns about uninitialized variables (-Wmaybe-uninitialized), and
> -Werror makes it fatal. This change allows the build to succeed by NULL'ifying
> the pointer passed to strtok_r().
>
> Note that strtok_r(3) anyway ignores a non-NU
cause (a) if name=systemd is not mounted then
we won't hit that, and (b) if name=systemd is mounted, then we'd
really still like to set it up for containers.
Signed-off-by: Serge Hallyn
---
src/lxc/cgfsng.c | 9 ++---
src/lxc/cgroup.c | 7 ++-
2 files changed, 8 insertions(
Quoting Mathias Gibbens (math...@calenhad.com):
> On Tue, 2016-04-05 at 16:45 +, Mathias Gibbens wrote:
> > On Tue, 2016-04-05 at 14:59 +0000, Serge Hallyn wrote:
> > > Quoting Mathias Gibbens (math...@calenhad.com):
> > > > On Sat, 2016-04-02 at 1
Quoting Mathias Gibbens (math...@calenhad.com):
> On Sat, 2016-04-02 at 15:53 +0000, Serge Hallyn wrote:
> > Quoting Mathias Gibbens (math...@calenhad.com):
> > > This evening I upgraded my lxc/lxcfs install, seeing as how lxcfs
> > > 2.0.0 was tagged earlier today
Quoting Mathias Gibbens (math...@calenhad.com):
> This evening I upgraded my lxc/lxcfs install, seeing as how lxcfs
> 2.0.0 was tagged earlier today. However, with the current lxcfs (2.0.0)
> my unprivileged containers fail to start:
>
> > lxc@narya:~$ lxc-start -F -n aule.calenhad.com
> > syste
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The open_without_symlink routine has been specifically created to prevent
> mounts with synlinks as source or destination. Keep SYSERROR'ing in that
> particular scenario, but leave error handling to calling functions for the
> other ones - e
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
>
> On 3/11/2016 3:07 PM, Serge Hallyn wrote:
> >Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >>On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> >>>Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >>
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
>
> On 3/10/2016 4:18 PM, Serge Hallyn wrote:
> >Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> >>Hi,
> >>
> >>This question might not be specific to lxc/lxd but containers in
> >>general, I
Quoting brian mullan (bmullan.m...@gmail.com):
> I've been curious about this for some time now but in one of serge hallyn's
> past posts
> (https://insights.ubuntu.com/2015/06/30/publishing-lxd-images/) he'd
> mentioned:
>
>
>
>
>
> *> Importantly, because “–public” was passed to the lxc publ
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> Hi,
>
> This question might not be specific to lxc/lxd but containers in
> general, I hope that is okay.
> I have a process created using clone with the following flags
> (CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUSER).
> The process then try to mount t
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On Mon, Feb 01, 2016 at 12:43:21PM +0100, Stéphane Graber wrote:
> > Hello,
> >
> > For a long time, Serge and I have been preferring LXC contributions to
> > be sent through the mailing-list kernel-style.
> >
> > This has been working reasonably w
Quoting Tamas Papp (tom...@martos.bme.hu):
> hi All,
>
>
> IMO 10.0.3.0/24 is way too general to be default.
> It would be better, more suitable, less problematic with less
> conflicts if it would be something like 10.251.78.0/24 or
> 172.31.251.0/24.
>
>
> And if there is any change, that shou
Quoting Alban Crequy (alban.cre...@gmail.com):
> Hi,
>
> On 29 January 2016 at 09:54, wrote:
> > Hi,
> >
> > following is a revised set of the CGroup Namespace patchset which Aditya
> > Kali has previously sent. The code can also be found in the cgroupns.v10
> > branch of
> >
> > https://git.ke
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> On Mon, Feb 15, 2016 at 07:48:05PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > On Wed, Feb 10, 2016 at 05:45:48PM +, Serge Hallyn wrote:
> > >
Quoting Fabian Grünbichler (f.gruenbich...@proxmox.com):
>
> > Fabian Grünbichler hat am 12. Februar 2016 um
> > 13:53 geschrieben:
> >
> > Summary so far: uptime, ps and any other process accessing /proc/uptime
> > within
> > a
> > container using lxcfs can pretty reliably make the whole conta
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Wed, Feb 10, 2016 at 05:45:48PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > On Mon, Feb 01, 2016 at 04:56:08AM +, Serge Hallyn wrote:
> > > &
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Mon, Feb 01, 2016 at 04:56:08AM +0000, Serge Hallyn wrote:
> > Quoting Kevin Wilson (wkev...@gmail.com):
> > > Hi, LXC developers,
> > >
> > > The latest kernel release (4.4) includes initi
Quoting Bussery, Francois (francois.buss...@arris.com):
> Hi,
> I have noticed that recent LXC are remounting SLAVE all SHARED mount points.
> Is there any real reason for that? Is there any way to workaround this
> “feature” by any configuration files.
> In embedded world, it is really common to
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Wed, Feb 03, 2016 at 04:49:04PM +0200, Kevin Wilson wrote:
> > Hi,
> >
> > When I create an lxc container and run a simple process (which all it
> > does is call pause()),
> > I see the pid of this process also in the host (Simply by
Quoting Kevin Wilson (wkev...@gmail.com):
> Hi, LXC developers,
>
> The latest kernel release (4.4) includes initial support to cgroup v2
> with 2 controllers (memory and io). Also it seems that the PIDs
> controller works in cgroup v2, but I do not know if it is officially
> supported in v2.
>
>
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> Slipped my attention before unfortunately.
> ---
> src/lxc/lxc_ls.c | 11 ++-
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/src/lxc/lxc_
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
So on this free_mnts() thing. If you (as this patch makes it look
like you were risking) run it twice, you'll presumably crash. The
callers always pass in the same global variables. So I think that
(a
From: Serge Hallyn
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
Signed-off-by: Tejun Heo
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog (2015-12-22):
Reformat to try to follow the style of the rest of the cgroup.txt file.
Changelog (2015-12-22):
tj
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog:
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - pos
of threadgroup_lock() while creating new cgroupns
- use task_lock() instead of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches t
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog 20151125:
- Fully-wing multilineco
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
Quoting Stéphane Graber (stgra...@ubuntu.com):
> > diff --git a/src/lxc/network.c b/src/lxc/network.c
> > index 3417928..49633ab 100644
> > --- a/src/lxc/network.c
> > +++ b/src/lxc/network.c
> > @@ -36,6 +36,7 @@
> > #include
> > #include
> > #include
> > +#include
>
> Where is that includ
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> Built over https://github.com/tssge/lxcfs/commit/50b75e3
>
> Example Output:
>
> [root@lxc-dev ~]# lxc-attach -n ubuntuwily -- /bin/cat /proc/swaps
> FilenameTypeSizeUsed
> Priority
> none
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Explain that multiple /lower layers can be used.
>
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> doc/lxc.container.conf.sgml.in | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/doc/
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Do it in a safe way by using strstr() to check for the substring ":/" should
> ':' be part of a pathname.
>
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> src/lxc/bdev/lxcaufs.c | 14 ++
> 1 file ch
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - With the -g/--groups argument the user can give a comma-separated list of
> groups MUST a container must have in order to be displayed. We receive
> this list as a single string. ls_has_all_grps() is called to check if a
> contain
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> Do it in a safe way by using strstr() to check for the substring ":/" should
> ':' be part of a pathname. This should be a safer implementation than the one
> originally suggested in #547.
>
> Signed-off-by: Christian Brauner
Acked-by:
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount function was introduced in order to address CVE-2015-1335,
> one of the vulnerabilities being a mount with a symlink for the
> destination path. In scenarios such as lxc-execute with no rootfs, the
> destination path is the hos
gt; -
> -
> -
> - --version
> -
> -
> -
> -Show the version number.
> +The regular expression passed to lxc-ls will
> be
> +applied to the container name. The format is a POSIX extended
&
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> In the Python implementation users could pass a regex without a parameter flag
> as additional argument on the command line. The C implementation gained the
> flag -r/--regex for this. To not irritate users we restore the old behaviour
>
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - remove unused argument from ls_get()
> - Fix ls_has_all_groups() but leave the inefficient basic algorithm untouched
> for now. (Will be fixed in a dedicated commit.)
> - insert missing ;
>
> Signed-off-by: Christian Brauner
> ---
>
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >= memory.limit_in
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >= memory.limit_in
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> - explain new -r,--regex flag
> - explain new numeric argument to --nesting
> - include common options as lxc-ls now uses the standard lxc parser
> - add history section and update authors
>
> Signed-off-by: Christian Brauner
> ---
> d
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> On Mon, Jan 18, 2016 at 11:18:32PM +0000, Serge Hallyn wrote:
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > --- a/src/lxc/lxccontainer.h
> > > +++ b/src/lxc/lxccontainer.h
> > > @@ -2
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> I am using the most recent version of lxcfs, commit:
> 17f9a5a9d647467e3858fa751e40cc7c022dd475
>
> When I spawn a container with the settings...
>
> lxc.cgroup.memory.limit_in_bytes = 256M
> lxc.cgroup.memory.memsw.limit_in_bytes = 512M
>
> ... I
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> They change a value and return true on success rather than
> fetching the value as the comments previously suggested.
>
> Signed-off-by: Wolfgang Bumiller
Yikes, yes the return value description is entirely wrong.
Thanks
Acked-by: Serge E.
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> Add the possibility to start a container in a frozen state.
>
> Signed-off-by: Wolfgang Bumiller
> ---
> doc/lxc-start.sgml.in | 12
> src/lxc/arguments.h| 3 +++
> src/lxc/conf.h | 1 +
> src/lxc/lxc_start.c|
Quoting Christian Brauner (christian.brau...@mailbox.org):
> - If lxc_container_new() fails we check for ENOMEM and if so goto out. If
> ENOMEM is not set we will simply continue. The same goes for the call to
> regcomp() but instead of checking for ENOMEM we need to check for
> REG_ESPACE.
>
Quoting Christian Brauner (christian.brau...@mailbox.org):
> If lxc_container_new() fails we check for ENOMEM and if so goto out. If ENOMEM
> is not set we will simply continue. The same goes for the call to regcomp()
> but
> instead of checking for ENOMEM we need to check for REG_ESPACE.
>
> Twe
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Fri, Jan 15, 2016 at 08:40:19PM +0000, Serge Hallyn wrote:
> > Quoting Christian Brauner (christian.brau...@mailbox.org):
> > > If lxc_container_new() fails we check for ENOMEN and goto out if ENOMEM
> > &g
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Otherwise users will always get nested containers listed.
>
> Signed-off-by: Christian Brauner
I'd actually looked for that and somehow missed it.
Acked-by: Serge E. Hallyn
> ---
> src/lxc/lxc_ls.c | 2 +-
> 1 file changed, 1 inser
Quoting Christian Brauner (christian.brau...@mailbox.org):
> If lxc_container_new() fails we check for ENOMEN and goto out if ENOMEM is not
> set we will simply continue. The same goes for the call to regcomp() but
> instead of checking for ENOMEM we need to check for REG_ESPACE.
>
> Tweaking: Sin
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> The following patch fixes memory alignment and endianness
> issue while doing a snapshot deletion with btrfs as a
> backing store on platform such as sparc.
>
> The implementation is taken from btrfs-progs.
>
> Changes since v1:
> - include for
Quoting Thomas Tanaka (thomas.tan...@oracle.com):
> The following patch fixes memory alignment and endianness
> issue while doing a snapshot deletion with btrfs as a
> backing store on platform such as sparc.
>
> The implementation is taken from btrfs-progs.
Hi,
thanks, this looks nice. I'm wor
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Check if we're really on a btrfs filesystem before we call btrfs_same_fs().
> Otherwise we will report misleading errors although everything went fine.
>
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> src/lxc/b
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> On 14.01.2016 01:09, Serge Hallyn wrote:
> > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> >> On 11.01.2016 20:59, Serge Hallyn wrote:
> >>> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
&
Quoting Christian Brauner (christian.brau...@mailbox.org):
> Signed-off-by: Christian Brauner
Acked-by: Serge E. Hallyn
> ---
> doc/see_also.sgml.in | 5 +
> 1 file changed, 5 insertions(+)
>
> diff --git a/doc/see_also.sgml.in b/doc/see_also.sgml.in
> index 4954e8e..3b3ecd7 100644
> ---
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> On Thu, Jan 14, 2016 at 09:28:07AM +0000, Serge Hallyn wrote:
> > Quoting Tycho Andersen (tycho.ander...@canonical.com):
> > > On Wed, Jan 13, 2016 at 09:47:50PM +, Serge Hallyn wrote:
> > > > Quoti
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> On Wed, Jan 13, 2016 at 09:47:50PM +0000, Serge Hallyn wrote:
> > Quoting Tycho Andersen (tycho.ander...@canonical.com):
> > > 1. remember to chown the cgroup path when migrating a container
> > > 2. when restor
serve lxcpath's const-ness. Technically we are
guaranteed that execvp won't change the args, but it's worth
it to silence the warnings (and not hide real errors).
With this patch, container nics are cleaned up from openvswitch
bridges on shutdown.
Signed-off-by: Serge Hallyn
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> On 11.01.2016 20:59, Serge Hallyn wrote:
> > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> >> The safe_mount primitive will mount the fs in the new container
> >> environment by using file descriptor
Quoting Christian Brauner (christian.brau...@mailbox.org):
> As ls_get() is non-tail recursive we face the inherent danger of blowing up
> the
> stack at some level of nesting. To have at least some security we define
> MAX_NESTLVL to be 5. That should be sufficient for most users. The argument
>
Quoting Wim Coekaerts (wim.coekae...@oracle.com):
> On 1/13/16 1:50 PM, Serge Hallyn wrote:
> >Quoting Tycho Andersen (tycho.ander...@canonical.com):
> >>Signed-off-by: Tycho Andersen
> >Acked-by: Serge E. Hallyn
> >
> >>---
> >> .g
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> Signed-off-by: Tycho Andersen
Acked-by: Serge E. Hallyn
> ---
> .gitignore | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/.gitignore b/.gitignore
> index 5e4912c..58e5dea 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -41,6
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> 1. remember to chown the cgroup path when migrating a container
> 2. when restoring the cgroup path, try to compute the euid for root vs.
>using geteuid(); geteuid works for start, but it doesn't work for
>migration since we're still
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> No reason for these to be +x, and it looks weird.
>
> Signed-off-by: Tycho Andersen
But it makes them a pretty green color in my terminal.
Acked-by: Serge E. Hallyn
> ---
> src/lxc/cgmanager.c | 4 ++--
> 1 file changed, 2 insertions(+
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount primitive will mount the fs in the new container
> environment by using file descriptors referred in /proc/self/fd.
> However, when the mounted filesystem is proc itself, it will have
> been previously unmounted, therefore resu
Quoting Nehal J Wani (nehaljw.k...@gmail.com):
> When no limit is specified using lxc.cgroup.memory.memsw.limit_in_bytes,
> overflow occurs while calculating Swap{Total,Free}. Commit a2de34b tried
> to fix this, but introduced another bug, wherein if
> memory.memsw.limit_in_bytes >= memory.limit_in
Thanks, I'll push a new 0.16 release tonight.
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
rm
> this?
>
> Mathias
>
> On Fri, 2016-01-08 at 20:10 +, Serge Hallyn wrote:
> > > From 24e98d74ca279ed2dc8e5a025add5a00737ba952 Mon Sep 17 00:00:00
> > 2001
> > > From: Wolfgang Bumiller
> > > Date: Fri, 8 Jan 2016 11:09:57 +0100
> > &g
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
>
> > On January 8, 2016 at 11:23 AM Wolfgang Bumiller
> > wrote:
> >
> >
> >
> > > On January 8, 2016 at 9:50 AM Wolfgang Bumiller
> > > wrote:
> > >
> > >
>
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> When running application containers with lxc-execute, /dev is
> populated only with device entries. Since /dev is a tmpfs mount in
> the container environment, the /dev/shm folder not being present is not
> a sufficient reason for the /dev/sh
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount primitive will mount the fs in the new container
> environment by using file descriptors referred in /proc/self/fd.
> However, when the mounted filesystem is proc itself, it will have
> been previously unmounted, therefore resu
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> In the current implementation, the open_without_symlink function
> will default to opening the root mount only if the passed rootfs
> prefix is null. It doesn't account for the case where this prefix
> is passed as an empty string.
>
> Prope
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
>
> > On January 8, 2016 at 2:55 AM Serge Hallyn wrote:
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > Signed-off-by: Wolfgang Bumiller
> > > ---
> > > lxcfs.c | 2 +-
> &g
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> If the first realloc() call fails then 'd' becomes NULL,
> subsequent realloc() retries will behave like malloc() and
> the the original src pointer is never freed. Further more
> the newly allocated data then contains uninitialized data
> where
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
>
> > On January 7, 2016 at 7:42 PM Serge Hallyn wrote:
> >
> >
> > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > > The initial check should use real lengths as with modulo a
> > > new
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> The initial check should use real lengths as with modulo a
> new required length of eg. 52 would be considered smaller
> than an old length of 48 (2 < 48).
>
> To get the 'batches' count 'newlen' must be divided and not
> taken modulo BATCH_SIZ
Closes #1459
Signed-off-by: Serge Hallyn
---
src/lxc/lsm/apparmor.c | 38 +++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index d78bd7a..39324ce 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src
From: Serge Hallyn
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
Signed-off-by: Tejun Heo
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog (2015-12-22):
Reformat to try to follow the style of the rest of the cgroup.txt file.
Changelog (2015-12-22):
tj
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog 20151125:
- Fully-wing multilineco
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - pos
1 - 100 of 1639 matches
Mail list logo
