+++ /dev/null
-From b853bd4c180eaedd04b6d3750699e1f2805f5782 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 24 Jul 2015 09:00:33 +0200
-Subject: [PATCH v2] pass on reboot flag and delete old veth on reboot
-
-When setting lxc.network.veth.pair to get a fixed interface
-name the recreation of it after a reboot caused an EEXIST.
--) The reboot flag is now a three-state value. It's set to
-1 to request a reboot, and 2 during a reboot until after
-lxc_spawn where it is reset to 0.
--) If the reboot is set (!= 0) within instantiate_veth and
-a fixed name is used, the interface is now deleted before
-being recreated.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/conf.c | 6 ++++--
- src/lxc/lxccontainer.c | 6 +++---
- src/lxc/start.c | 2 ++
- 3 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 9870455..ed2ad66 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2613,9 +2613,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd
- char veth2buf[IFNAMSIZ], *veth2;
- int err;
-
-- if (netdev->priv.veth_attr.pair)
-+ if (netdev->priv.veth_attr.pair) {
- veth1 = netdev->priv.veth_attr.pair;
-- else {
-+ if (handler->conf->reboot)
-+ lxc_netdev_delete_by_name(veth1);
-+ } else {
- err = snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX");
- if (err >= sizeof(veth1buf)) { /* can't *really* happen, but... */
- ERROR("veth1 name too long");
-diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
-index 1c103e8..223e78e 100644
---- a/src/lxc/lxccontainer.c
-+++ b/src/lxc/lxccontainer.c
-@@ -760,9 +760,9 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
- pid_fp = NULL;
- }
-
--reboot:
- conf->reboot = 0;
-
-+reboot:
- if (lxc_check_inherited(conf, daemonize, -1)) {
- ERROR("Inherited fds found");
- ret = 1;
-@@ -772,9 +772,9 @@ reboot:
- ret = lxc_start(c->name, argv, conf, c->config_path, daemonize);
- c->error_num = ret;
-
-- if (conf->reboot) {
-+ if (conf->reboot == 1) {
- INFO("container requested reboot");
-- conf->reboot = 0;
-+ conf->reboot = 2;
- goto reboot;
- }
-
-diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 6eded61..2fc026e 100644
---- a/src/lxc/start.c
-+++ b/src/lxc/start.c
-@@ -1173,6 +1173,8 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
- goto out_detach_blockdev;
- }
-
-+ handler->conf->reboot = 0;
-+
- netnsfd = get_netns_fd(handler->pid);
-
- err = lxc_poll(name, handler);
---
-2.1.4
-
+++ /dev/null
-From d6417887b93477133a2c600ce755ba3afc843d44 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Thu, 23 Jul 2015 11:10:18 +0200
-Subject: [PATCH] seccomp: simplify and fix rule parsing
-
-1) Two checks on amd64 for whether compat_ctx has already
-been generated were redundant, as compat_ctx is generally
-generated before entering the parsing loop.
-
-2) With introduction of reject_force_umount the check for
-whether the syscall has the same id on both native and
-compat archs results in false behavior as this is an
-internal keyword and thus produces a -1 on
-seccomp_syscall_resolve_name_arch().
-The result was that it was added to the native architecture
-twice and never to the 32 bit architecture, causing it to
-have no effect on 32 bit containers on 64 bit hosts.
-
-3) I do not see a reason to care about whether the syscalls
-have the same number on the two architectures. On the one
-hand this check was there to avoid adding it to two archs
-(and effectively leaving one arch unprotected), while on
-the other hand it seemed to be okay to add it to the
-same arch *twice*.
-
-The entire architecture checking branches are now reduced to
-three simple cases: 'native', 'non-native' and 'all'. With
-'all' adding to both architectures regardless of the syscall
-ID.
-
-Also note that libseccomp had a bug in its architecture
-checking, so architecture related filters weren't working as
-expected before version 2.2.2, which may have contributed to
-the confusion in the original architecture-related code.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/seccomp.c | 63 ++++++++++++++-----------------------------------------
- 1 file changed, 16 insertions(+), 47 deletions(-)
-
-diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
-index 108faa0..07dfbc6 100644
---- a/src/lxc/seccomp.c
-+++ b/src/lxc/seccomp.c
-@@ -259,6 +259,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
- uint32_t default_policy_action = -1, default_rule_action = -1, action;
- enum lxc_hostarch_t native_arch = get_hostarch(),
- cur_rule_arch = native_arch;
-+ uint32_t compat_arch = SCMP_ARCH_NATIVE;
-
- if (strncmp(line, "blacklist", 9) == 0)
- blacklist = true;
-@@ -288,6 +289,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
-
- if (native_arch == lxc_seccomp_arch_amd64) {
- cur_rule_arch = lxc_seccomp_arch_all;
-+ compat_arch = SCMP_ARCH_X86;
- compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
- default_policy_action);
- if (!compat_ctx)
-@@ -324,14 +326,6 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
- continue;
- }
- cur_rule_arch = lxc_seccomp_arch_i386;
-- if (native_arch == lxc_seccomp_arch_amd64) {
-- if (compat_ctx)
-- continue;
-- compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
-- default_policy_action);
-- if (!compat_ctx)
-- goto bad;
-- }
- } else if (strcmp(line, "[X86_64]") == 0 ||
- strcmp(line, "[x86_64]") == 0) {
- if (native_arch != lxc_seccomp_arch_amd64) {
-@@ -342,14 +336,6 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
- } else if (strcmp(line, "[all]") == 0 ||
- strcmp(line, "[ALL]") == 0) {
- cur_rule_arch = lxc_seccomp_arch_all;
-- if (native_arch == lxc_seccomp_arch_amd64 && !compat_ctx) {
-- if (compat_ctx)
-- continue;
-- compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
-- default_policy_action);
-- if (!compat_ctx)
-- goto bad;
-- }
- }
- #ifdef SCMP_ARCH_ARM
- else if (strcmp(line, "[arm]") == 0 ||
-@@ -408,41 +394,24 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
- goto bad_rule;
- }
-
-- /*
-- * TODO generalize - if !is_compat_only(native_arch, cur_rule_arch)
-- *
-- * in other words, the rule is 32-bit only, on 64-bit host; don't run
-- * the rule against the native arch.
-- */
-- if (!(cur_rule_arch == lxc_seccomp_arch_i386 &&
-- native_arch == lxc_seccomp_arch_amd64)) {
-- INFO("Adding non-compat rule for %s action %d", line, action);
-+ if (cur_rule_arch == native_arch ||
-+ cur_rule_arch == lxc_seccomp_arch_native ||
-+ compat_arch == SCMP_ARCH_NATIVE) {
-+ INFO("Adding native rule for %s action %d", line, action);
- if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
- goto bad_rule;
- }
--
-- /*
-- * TODO generalize - if need_compat(native_arch, cur_rule_arch)
-- */
-- if (native_arch == lxc_seccomp_arch_amd64 &&
-- cur_rule_arch != lxc_seccomp_arch_amd64) {
-- int nr1, nr2;
-+ else if (cur_rule_arch != lxc_seccomp_arch_all) {
-+ INFO("Adding compat-only rule for %s action %d", line, action);
-+ if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
-+ goto bad_rule;
-+ }
-+ else {
-+ INFO("Adding native rule for %s action %d", line, action);
-+ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
-+ goto bad_rule;
- INFO("Adding compat rule for %s action %d", line, action);
-- nr1 = seccomp_syscall_resolve_name_arch(SCMP_ARCH_X86, line);
-- nr2 = seccomp_syscall_resolve_name_arch(SCMP_ARCH_NATIVE, line);
-- if (nr1 == nr2) {
-- /* If the syscall # is the same for 32- and 64-bit, then we cannot
-- * apply it to the compat_ctx. So apply it to the noncompat ctx.
-- * We may already have done so, but that's ok
-- */
-- INFO("Adding non-compat rule bc nr1 == nr2 (%d, %d)", nr1, nr2);
-- if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, action))
-- goto bad_rule;
-- continue;
-- }
-- INFO("Really adding compat rule bc nr1 == nr2 (%d, %d)", nr1, nr2);
-- if (!do_resolve_add_rule(SCMP_ARCH_X86, line,
-- compat_ctx, action))
-+ if (!do_resolve_add_rule(compat_arch, line, compat_ctx, action))
- goto bad_rule;
- }
- }
---
-2.1.4
-
+++ /dev/null
-From: Tycho Andersen <tycho.andersen@canonical.com>\r
-To: lxc-devel@lists.linuxcontainers.org\r
-Date: Mon, 10 Aug 2015 11:12:19 -0600\r
-Subject: [lxc-devel] [PATCH 3/3] c/r: allow empty networks to be\r
- checkpointed/restored\r
-\r
-\r
-\r
-Empty networks don't have anything (besides lo) for us to dump and restore,\r
-so we should allow these as well.\r
-\r
-Reported-by: Dietmar Maurer <dietmar@proxmox.com>\r
-Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>\r
----\r
-diff --git a/src/lxc/criu.c b/src/lxc/criu.c\r
-index e1282e4..88dc8cd 100644\r
---- a/src/lxc/criu.c\r
-+++ b/src/lxc/criu.c\r
-@@ -164,6 +164,9 @@ void exec_criu(struct criu_opts *opts)\r
- char eth[128], *veth;\r
- struct lxc_netdev *n = it->elem;\r
-\r
-+ if (n->type != LXC_NET_VETH)\r
-+ continue;\r
-+\r
- if (n->name) {\r
- if (strlen(n->name) >= sizeof(eth))\r
- goto err;\r
-@@ -304,7 +307,12 @@ bool criu_ok(struct lxc_container *c)\r
- /* We only know how to restore containers with veth networks. */\r
- lxc_list_for_each(it, &c->lxc_conf->network) {\r
- struct lxc_netdev *n = it->elem;\r
-- if (n->type != LXC_NET_VETH && n->type != LXC_NET_NONE) {\r
-+ switch(n->type) {\r
-+ case LXC_NET_VETH:\r
-+ case LXC_NET_NONE:\r
-+ case LXC_NET_EMPTY:\r
-+ break;\r
-+ default:\r
- ERROR("Found network that is not VETH or NONE\n");\r
- return false;\r
- }\r
-@@ -351,6 +359,10 @@ static bool restore_net_info(struct lxc_container *c)\r
- lxc_list_for_each(it, &c->lxc_conf->network) {\r
- struct lxc_netdev *netdev = it->elem;\r
- char template[IFNAMSIZ];\r
-+\r
-+ if (netdev->type != LXC_NET_VETH)\r
-+ continue;\r
-+\r
- snprintf(template, sizeof(template), "vethXXXXXX");\r
-\r
- if (!netdev->priv.veth_attr.pair)\r
+++ /dev/null
-From 6b2a672801950d972474a86fc29d05f9e6ad2fd6 Mon Sep 17 00:00:00 2001
-From: Tycho Andersen <tycho.andersen@canonical.com>
-Date: Wed, 12 Aug 2015 11:17:12 -0600
-Subject: [PATCH] c/r: enable tracefs
-
-tracefs is a new filesystem that can be mounted by users. Only the options
-and fs name need to be passed to restore the state, so we can use criu's
-auto fs feature.
-
-Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
----
- src/lxc/criu.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/lxc/criu.c b/src/lxc/criu.c
-index e939b37..bd6ecac 100644
---- a/src/lxc/criu.c
-+++ b/src/lxc/criu.c
-@@ -49,7 +49,7 @@ lxc_log_define(lxc_criu, lxc);
- void exec_criu(struct criu_opts *opts)
- {
- char **argv, log[PATH_MAX];
-- int static_args = 20, argc = 0, i, ret;
-+ int static_args = 22, argc = 0, i, ret;
- int netnr = 0;
- struct lxc_list *it;
-
-@@ -60,7 +60,7 @@ void exec_criu(struct criu_opts *opts)
- * --manage-cgroups action-script foo.sh -D $(directory) \
- * -o $(directory)/$(action).log --ext-mount-map auto
- * --enable-external-sharing --enable-external-masters
-- * --enable-fs hugetlbfs
-+ * --enable-fs hugetlbfs --enable-fs tracefs
- * +1 for final NULL */
-
- if (strcmp(opts->action, "dump") == 0) {
-@@ -122,6 +122,8 @@ void exec_criu(struct criu_opts *opts)
- DECLARE_ARG("--enable-external-masters");
- DECLARE_ARG("--enable-fs");
- DECLARE_ARG("hugetlbfs");
-+ DECLARE_ARG("--enable-fs");
-+ DECLARE_ARG("tracefs");
- DECLARE_ARG("-D");
- DECLARE_ARG(opts->directory);
- DECLARE_ARG("-o");
---
-2.1.4
-
+++ /dev/null
-From: Tycho Andersen <tycho.andersen@canonical.com>\r
-To: lxc-devel@lists.linuxcontainers.org\r
-Date: Mon, 10 Aug 2015 11:12:18 -0600\r
-Subject: [lxc-devel] [PATCH 2/3] c/r: get rid of dump_net_info()\r
-\r
-\r
-\r
-This was originally used to propagate the bridge and veth names across\r
-hosts, but now we extract both from the container's config file, and\r
-nothing reads the files that dump_net_info() writes, so let's just get rid\r
-of them.\r
-\r
-Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>\r
----\r
-diff --git a/src/lxc/criu.c b/src/lxc/criu.c\r
-index e939b37..e1282e4 100644\r
---- a/src/lxc/criu.c\r
-+++ b/src/lxc/criu.c\r
-@@ -340,57 +340,6 @@ bool criu_ok(struct lxc_container *c)\r
- return true;\r
- }\r
-\r
--bool dump_net_info(struct lxc_container *c, char *directory)\r
--{\r
-- int netnr;\r
-- struct lxc_list *it;\r
--\r
-- netnr = 0;\r
-- lxc_list_for_each(it, &c->lxc_conf->network) {\r
-- char *veth = NULL, *bridge = NULL, veth_path[PATH_MAX], eth[128];\r
-- struct lxc_netdev *n = it->elem;\r
-- bool has_error = true;\r
-- int pret;\r
--\r
-- pret = snprintf(veth_path, PATH_MAX, "lxc.network.%d.veth.pair", netnr);\r
-- if (pret < 0 || pret >= PATH_MAX)\r
-- goto out;\r
--\r
-- veth = c->get_running_config_item(c, veth_path);\r
-- if (!veth) {\r
-- /* criu_ok() checks that all interfaces are\r
-- * LXC_NET{VETH,NONE}, and VETHs should have this\r
-- * config */\r
-- assert(n->type == LXC_NET_NONE);\r
-- break;\r
-- }\r
--\r
-- bridge = c->get_running_config_item(c, veth_path);\r
-- if (!bridge)\r
-- goto out;\r
--\r
-- pret = snprintf(veth_path, PATH_MAX, "%s/veth%d", directory, netnr);\r
-- if (pret < 0 || pret >= PATH_MAX || print_to_file(veth_path, veth) < 0)\r
-- goto out;\r
--\r
-- if (n->name) {\r
-- if (strlen(n->name) >= 128)\r
-- goto out;\r
-- strncpy(eth, n->name, 128);\r
-- } else\r
-- sprintf(eth, "eth%d", netnr);\r
--\r
-- has_error = false;\r
--out:\r
-- free(veth);\r
-- free(bridge);\r
-- if (has_error)\r
-- return false;\r
-- }\r
--\r
-- return true;\r
--}\r
--\r
- static bool restore_net_info(struct lxc_container *c)\r
- {\r
- struct lxc_list *it;\r
-diff --git a/src/lxc/criu.h b/src/lxc/criu.h\r
-index 1f65e47..df63625 100644\r
---- a/src/lxc/criu.h\r
-+++ b/src/lxc/criu.h\r
-@@ -61,8 +61,6 @@ void exec_criu(struct criu_opts *opts);\r
- * dump. */\r
- bool criu_ok(struct lxc_container *c);\r
-\r
--bool dump_net_info(struct lxc_container *c, char *directory);\r
--\r
- // do_restore never returns, the calling process is used as the\r
- // monitor process. do_restore calls exit() if it fails.\r
- void do_restore(struct lxc_container *c, int pipe, char *directory, bool verbose);\r
-diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c\r
-index 1c103e8..14ae796 100644\r
---- a/src/lxc/lxccontainer.c\r
-+++ b/src/lxc/lxccontainer.c\r
-@@ -3733,9 +3733,6 @@ static bool do_lxcapi_checkpoint(struct lxc_container *c, char *directory, bool\r
- return false;\r
- }\r
-\r
-- if (!dump_net_info(c, directory))\r
-- return false;\r
--\r
- pid = fork();\r
- if (pid < 0)\r
- return false;\r
projects / lxc.git / commitdiff