* [gentoo-commits] gentoo-x86 commit in app-emulation/lxc/files: lxc-0.6.4-move-rcfile.patch lxc-0.6.4-fix-full-system.patch lxc-0.6.4-lxc.network.pair.patch 0.6.2-as-needed.patch
@ 2009-12-07 11:39 Diego Petteno (flameeyes)
0 siblings, 0 replies; only message in thread
From: Diego Petteno (flameeyes) @ 2009-12-07 11:39 UTC (permalink / raw
To: gentoo-commits
flameeyes 09/12/07 11:39:11
Added: lxc-0.6.4-move-rcfile.patch
lxc-0.6.4-fix-full-system.patch
lxc-0.6.4-lxc.network.pair.patch
Removed: 0.6.2-as-needed.patch
Log:
Backport fixes from upstream, including one to not break host systems if lxc-start is launched in the old (pre-0.6.4) way. Thanks to Andrian Nord in bug #296030.
(Portage version: 2.2_rc56/cvs/Linux x86_64)
Revision Changes Path
1.1 app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-move-rcfile.patch?rev=1.1&content-type=text/plain
Index: lxc-0.6.4-move-rcfile.patch
===================================================================
From fae349da89b9ad063f0080970558b7f02ce233c2 Mon Sep 17 00:00:00 2001
From: Daniel Lezcano <daniel.lezcano@free.fr>
Date: Thu, 26 Nov 2009 15:46:24 +0000
Subject: pass lxc_conf to the lxc_start function instead of the rcfile
The rcfile is parsed in the lxc_start function. This is not the place
to do that. Let's the caller to do that.
In the meantime, we have the lxc_conf structure filled right before
calling the lxc_start function so we can do some sanity check on the
configuration to not break the system when we launch the container.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 02239e5..4c48571 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -135,7 +135,7 @@ static int trigger_command(int fd, struct lxc_request *request,
static void command_fd_cleanup(int fd, struct lxc_handler *handler,
struct lxc_epoll_descr *descr)
{
- lxc_console_remove_fd(fd, &handler->conf.tty_info);
+ lxc_console_remove_fd(fd, &handler->conf->tty_info);
lxc_mainloop_del_handler(descr, fd);
close(fd);
}
diff --git a/src/lxc/console.c b/src/lxc/console.c
index 52f6cec..96a6edd 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -98,7 +98,7 @@ extern int lxc_console_callback(int fd, struct lxc_request *request,
struct lxc_handler *handler)
{
int ttynum = request->data;
- struct lxc_tty_info *tty_info = &handler->conf.tty_info;
+ struct lxc_tty_info *tty_info = &handler->conf->tty_info;
if (ttynum > 0) {
if (ttynum > tty_info->nbtty)
diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h
index 66cb3b8..8cf21c1 100644
--- a/src/lxc/lxc.h
+++ b/src/lxc/lxc.h
@@ -31,6 +31,7 @@ extern "C" {
#include <lxc/state.h>
struct lxc_msg;
+struct lxc_conf;
/**
Following code is for liblxc.
@@ -44,7 +45,7 @@ struct lxc_msg;
* @argv : an array of char * corresponding to the commande line
* Returns 0 on sucess, < 0 otherwise
*/
-extern int lxc_start(const char *name, char *const argv[], const char *rcfile);
+extern int lxc_start(const char *name, char *const argv[], struct lxc_conf *);
/*
* Stop the container previously started with lxc_start, all
diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
index 846a96f..40a4b93 100644
--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -31,10 +31,11 @@
#include <sys/stat.h>
#include <sys/param.h>
-#include <lxc/log.h>
-#include <lxc/confile.h>
-#include <lxc/lxc.h>
+#include "lxc.h"
+#include "log.h"
+#include "conf.h"
+#include "confile.h"
#include "arguments.h"
#include "config.h"
@@ -83,6 +84,7 @@ int main(int argc, char *argv[])
{
static char **args;
char *rcfile;
+ struct lxc_conf conf;
if (lxc_arguments_parse(&my_args, argc, argv))
return -1;
@@ -111,6 +113,16 @@ int main(int argc, char *argv[])
}
}
- return lxc_start(my_args.name, args, my_args.rcfile);
+ if (lxc_conf_init(&conf)) {
+ ERROR("failed to initialze configuration");
+ return -1;
+ }
+
+ if (rcfile && lxc_config_read(rcfile, &conf)) {
+ ERROR("failed to read configuration file");
+ return -1;
+ }
+
+ return lxc_start(my_args.name, args, &conf);
}
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index cf87abf..b8d03e8 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -40,12 +40,13 @@
#include <netinet/in.h>
#include <net/if.h>
-#include <lxc/lxc.h>
-#include <lxc/log.h>
-#include <lxc/utils.h>
-
-#include "arguments.h"
+#include "log.h"
+#include "lxc.h"
+#include "conf.h"
+#include "utils.h"
#include "config.h"
+#include "confile.h"
+#include "arguments.h"
lxc_log_define(lxc_start, lxc);
@@ -132,6 +133,7 @@ int main(int argc, char *argv[])
};
char *rcfile = NULL;
+ struct lxc_conf conf;
if (lxc_arguments_parse(&my_args, argc, argv))
return err;
@@ -161,6 +163,16 @@ int main(int argc, char *argv[])
}
}
+ if (lxc_conf_init(&conf)) {
+ ERROR("failed to initialze configuration");
+ return err;
+ }
+
+ if (rcfile && lxc_config_read(rcfile, &conf)) {
+ ERROR("failed to read configuration file");
+ return err;
+ }
+
if (my_args.daemonize) {
/* do not chdir as we want to open the log file,
@@ -187,7 +199,7 @@ int main(int argc, char *argv[])
save_tty(&tios);
- err = lxc_start(my_args.name, args, rcfile);
+ err = lxc_start(my_args.name, args, &conf);
restore_tty(&tios);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 7143421..7e9d924 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -230,7 +230,7 @@ static int console_init(char *console, size_t size)
return 0;
}
-struct lxc_handler *lxc_init(const char *name, const char *rcfile)
+struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf)
{
struct lxc_handler *handler;
@@ -240,36 +240,20 @@ struct lxc_handler *lxc_init(const char *name, const char *rcfile)
memset(handler, 0, sizeof(*handler));
+ handler->conf = conf;
+
/* Begin the set the state to STARTING*/
if (lxc_set_state(name, handler, STARTING)) {
ERROR("failed to set state '%s'", lxc_state2str(STARTING));
goto out_free;
}
- if (lxc_conf_init(&handler->conf)) {
- ERROR("failed to initialize the configuration");
- goto out_aborting;
- }
-
- if (rcfile) {
- if (access(rcfile, F_OK)) {
- ERROR("failed to access '%s'", rcfile);
- goto out_aborting;
- }
-
- if (lxc_config_read(rcfile, &handler->conf)) {
- ERROR("failed to read '%s'", rcfile);
- goto out_aborting;
- }
- }
-
- if (console_init(handler->conf.console,
- sizeof(handler->conf.console))) {
+ if (console_init(conf->console, sizeof(conf->console))) {
ERROR("failed to initialize the console");
goto out_aborting;
}
- if (lxc_create_tty(name, &handler->conf)) {
+ if (lxc_create_tty(name, conf)) {
ERROR("failed to create the ttys");
goto out_aborting;
}
@@ -294,7 +278,7 @@ out:
return handler;
out_delete_tty:
- lxc_delete_tty(&handler->conf.tty_info);
+ lxc_delete_tty(&conf->tty_info);
out_aborting:
lxc_set_state(name, handler, ABORTING);
out_free:
@@ -313,7 +297,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
lxc_unlink_nsgroup(name);
if (handler) {
- lxc_delete_tty(&handler->conf.tty_info);
+ lxc_delete_tty(&handler->conf->tty_info);
free(handler);
}
@@ -366,7 +350,7 @@ static int do_start(void *arg)
}
/* Setup the container, ip, names, utsname, ... */
- if (lxc_setup(name, &handler->conf)) {
+ if (lxc_setup(name, handler->conf)) {
ERROR("failed to setup the container");
goto out_warn_father;
}
@@ -414,14 +398,14 @@ int lxc_spawn(const char *name, struct lxc_handler *handler, char *const argv[])
}
clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
- if (!lxc_list_empty(&handler->conf.network)) {
+ if (!lxc_list_empty(&handler->conf->network)) {
clone_flags |= CLONE_NEWNET;
/* that should be done before the clone because we will
* fill the netdev index and use them in the child
*/
- if (lxc_create_network(&handler->conf.network)) {
+ if (lxc_create_network(&handler->conf->network)) {
ERROR("failed to create the network");
goto out_close;
}
@@ -447,7 +431,7 @@ int lxc_spawn(const char *name, struct lxc_handler *handler, char *const argv[])
/* Create the network configuration */
if (clone_flags & CLONE_NEWNET) {
- if (lxc_assign_network(&handler->conf.network, handler->pid)) {
+ if (lxc_assign_network(&handler->conf->network, handler->pid)) {
ERROR("failed to create the configured network");
goto out_abort;
}
@@ -486,13 +470,13 @@ out_abort:
goto out_close;
}
-int lxc_start(const char *name, char *const argv[], const char *rcfile)
+int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf)
{
struct lxc_handler *handler;
int err = -1;
int status;
- handler = lxc_init(name, rcfile);
+ handler = lxc_init(name, conf);
if (!handler) {
ERROR("failed to initialize the container");
return -1;
diff --git a/src/lxc/start.h b/src/lxc/start.h
index 3390411..ba55562 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -34,10 +34,10 @@ struct lxc_handler {
int sigfd;
char nsgroup[MAXPATHLEN];
sigset_t oldmask;
- struct lxc_conf conf;
+ struct lxc_conf *conf;
};
-extern struct lxc_handler *lxc_init(const char *name, const char *rcfile);
+extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
extern int lxc_spawn(const char *name, struct lxc_handler *handler,
char *const argv[]);
--
cgit v0.8.3
1.1 app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-fix-full-system.patch?rev=1.1&content-type=text/plain
Index: lxc-0.6.4-fix-full-system.patch
===================================================================
From f2ae79a04567fb8c1181f4d3331d2b7a48889cf3 Mon Sep 17 00:00:00 2001
From: Andrian Nord <nightnord@gmail.com>
Date: Thu, 26 Nov 2009 15:46:25 +0000
Subject: "Default" configuration may destroy host system
If you're running (by mistake or typo) (via lxc-start) container that does not
exists it will run with lxc.rootfs=/, meaning that /sbin/init will
restart initialization procedure, efficiently messing host's system,
that may lead to unpredictable results or even destroy (make inaccessible) host
system (by reseting network configuration or something like that).
(Actually, it _did_ destroy system of everyone who tested this).
Actually, I finally lost any meaning of having such a feature for
full-system containers. You may not use hosts's FS - it's described at
above. You may not use some temporary directory - that's nonsense.
This patch forbinds starting container via lxc-start without rcfile and
custom start program, but probably it fixes only small part of problem.
I really don't see much sense in such a feature without ability of
overriding 'default' setting with command line switches. Anyway, default
behaviour should be as save as possible.
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index b8d03e8..d2471eb 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -173,6 +173,11 @@ int main(int argc, char *argv[])
return err;
}
+ if (!rcfile && !strcmp("/sbin/init", args[0])) {
+ ERROR("no configuration file for '/sbin/init' (may crash the host)");
+ return err;
+ }
+
if (my_args.daemonize) {
/* do not chdir as we want to open the log file,
--
cgit v0.8.3
1.1 app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-emulation/lxc/files/lxc-0.6.4-lxc.network.pair.patch?rev=1.1&content-type=text/plain
Index: lxc-0.6.4-lxc.network.pair.patch
===================================================================
From 8634bc197f742267b2eabd8543265ba93177b529 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 26 Nov 2009 15:46:23 +0000
Subject: allow lxc.network.pair to specify host-side name for veth interface
Currently we allocate veth device with random name on host side,
so that things like firewall rules or accounting does not work
at all. Fix this by recognizing yet anothe keyword to specify
the host-side device name: lxc.network.pair, and use it instead
of random name if specified.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 9c3a558..523270e 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -829,14 +829,19 @@ int lxc_conf_init(struct lxc_conf *conf)
static int instanciate_veth(struct lxc_netdev *netdev)
{
- char veth1[IFNAMSIZ];
+ char veth1buf[IFNAMSIZ], *veth1;
char veth2[IFNAMSIZ];
int ret = -1;
- snprintf(veth1, sizeof(veth1), "vethXXXXXX");
- snprintf(veth2, sizeof(veth2), "vethXXXXXX");
+ if (netdev->pair)
+ veth1 = netdev->pair;
+ else {
+ snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX");
+ mktemp(veth1buf);
+ veth1 = veth1buf;
+ }
- mktemp(veth1);
+ snprintf(veth2, sizeof(veth2), "vethXXXXXX");
mktemp(veth2);
if (!strlen(veth1) || !strlen(veth2)) {
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 0b8d732..bb38206 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -73,6 +73,7 @@ struct lxc_route6 {
* Defines a structure to configure a network device
* @link : lxc.network.link, name of bridge or host iface to attach if any
* @name : lxc.network.name, name of iface on the container side
+ * @pair : lxc.network.pair, name of host-side iface in case of veth etc
* @flags : flag of the network device (IFF_UP, ... )
* @ipv4 : a list of ipv4 addresses to be set on the network device
* @ipv6 : a list of ipv6 addresses to be set on the network device
@@ -83,6 +84,7 @@ struct lxc_netdev {
int ifindex;
char *link;
char *name;
+ char *pair;
char *hwaddr;
char *mtu;
struct lxc_list ipv4;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 39a8e2c..3a9a86d 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -49,6 +49,7 @@ static int config_network_type(const char *, char *, struct lxc_conf *);
static int config_network_flags(const char *, char *, struct lxc_conf *);
static int config_network_link(const char *, char *, struct lxc_conf *);
static int config_network_name(const char *, char *, struct lxc_conf *);
+static int config_network_pair(const char *, char *, struct lxc_conf *);
static int config_network_hwaddr(const char *, char *, struct lxc_conf *);
static int config_network_mtu(const char *, char *, struct lxc_conf *);
static int config_network_ipv4(const char *, char *, struct lxc_conf *);
@@ -73,6 +74,7 @@ static struct config config[] = {
{ "lxc.network.flags", config_network_flags },
{ "lxc.network.link", config_network_link },
{ "lxc.network.name", config_network_name },
+ { "lxc.network.pair", config_network_pair },
{ "lxc.network.hwaddr", config_network_hwaddr },
{ "lxc.network.mtu", config_network_mtu },
{ "lxc.network.ipv4", config_network_ipv4 },
@@ -221,6 +223,18 @@ static int config_network_name(const char *key, char *value,
return network_ifname(&netdev->name, value);
}
+static int config_network_pair(const char *key, char *value,
+ struct lxc_conf *lxc_conf)
+{
+ struct lxc_netdev *netdev;
+
+ netdev = network_netdev(key, value, &lxc_conf->network);
+ if (!netdev)
+ return -1;
+
+ return network_ifname(&netdev->pair, value);
+}
+
static int config_network_hwaddr(const char *key, char *value,
struct lxc_conf *lxc_conf)
{
--
cgit v0.8.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-12-07 11:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-07 11:39 [gentoo-commits] gentoo-x86 commit in app-emulation/lxc/files: lxc-0.6.4-move-rcfile.patch lxc-0.6.4-fix-full-system.patch lxc-0.6.4-lxc.network.pair.patch 0.6.2-as-needed.patch Diego Petteno (flameeyes)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox