[libvirt] [PATCH 1/3] Remove support for old kernels lacking private devpts
From: "Daniel P. Berrange" <berrange@redhat.com> Early on kernel support for private devpts was not widespread, so we had compatibiltiy codepaths. Such old kernels are not seriously used for LXC these days, so the compat code can go away Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_controller.c | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 1d1443c..cede445 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1252,8 +1252,9 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl) } if (access(ctrl->devptmx, R_OK) < 0) { - VIR_WARN("Kernel does not support private devpts, using shared devpts"); - VIR_FREE(ctrl->devptmx); + virReportSystemError(ENOSYS, "%s", + _("Kernel does not support private devpts")); + goto cleanup; } ret = 0; @@ -1278,24 +1279,13 @@ virLXCControllerSetupConsoles(virLXCControllerPtr ctrl, size_t i; for (i = 0 ; i < ctrl->nconsoles ; i++) { - if (ctrl->devptmx) { - VIR_DEBUG("Opening tty on private %s", ctrl->devptmx); - if (lxcCreateTty(ctrl->devptmx, - &ctrl->consoles[i].contFd, - &containerTTYPaths[i]) < 0) { - virReportSystemError(errno, "%s", - _("Failed to allocate tty")); - return -1; - } - } else { - VIR_DEBUG("Opening tty on shared /dev/ptmx"); - if (virFileOpenTty(&ctrl->consoles[i].contFd, - &containerTTYPaths[i], - 0) < 0) { - virReportSystemError(errno, "%s", + VIR_DEBUG("Opening tty on private %s", ctrl->devptmx); + if (lxcCreateTty(ctrl->devptmx, + &ctrl->consoles[i].contFd, + &containerTTYPaths[i]) < 0) { + virReportSystemError(errno, "%s", _("Failed to allocate tty")); - return -1; - } + return -1; } } return 0; -- 1.7.11.7
From: "Daniel P. Berrange" <berrange@redhat.com> Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 38 ++++++++++++++++ 2 files changed, 44 insertions(+), 107 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 002dba1..002ba9e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -2049,92 +2049,6 @@ cleanup: } -/* Nothing mapped to /, we're using the main root, - but with extra stuff mapped in */ -static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef, - virDomainFSDefPtr root, - virSecurityManagerPtr securityDriver) -{ - int ret = -1; - struct lxcContainerCGroup *mounts = NULL; - size_t nmounts = 0; - char *cgroupRoot = NULL; - char *sec_mount_options; - - VIR_DEBUG("def=%p", vmDef); - - if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef))) - return -1; - - /* - * This makes sure that any new filesystems in the - * host OS propagate to the container, but any - * changes in the container are private - */ - if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) { - virReportSystemError(errno, "%s", - _("Failed to make / slave")); - goto cleanup; - } - - if (root && root->readonly) { - if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) { - virReportSystemError(errno, "%s", - _("Failed to make root readonly")); - goto cleanup; - } - } - - VIR_DEBUG("Mounting config FS"); - if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0) - goto cleanup; - - /* Before replacing /sys we need to identify any - * cgroups controllers that are mounted */ - if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0) - goto cleanup; - -#if WITH_SELINUX - /* Some versions of Linux kernel don't let you overmount - * the selinux filesystem, so make sure we kill it first - */ - if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0) - goto cleanup; -#endif - - /* Gets rid of any existing stuff under /proc, since we need new - * namespace aware versions of those. We must do /proc second - * otherwise we won't find /proc/mounts :-) */ - if (lxcContainerUnmountSubtree("/sys", false) < 0 || - lxcContainerUnmountSubtree("/proc", false) < 0) - goto cleanup; - - /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS(false, sec_mount_options) < 0) - goto cleanup; - - /* Mounts /proc/meminfo etc sysinfo */ - if (lxcContainerMountProcFuse(vmDef, NULL) < 0) - goto cleanup; - - /* Now we can re-mount the cgroups controllers in the - * same configuration as before */ - if (lxcContainerMountCGroups(mounts, nmounts, - cgroupRoot, sec_mount_options) < 0) - goto cleanup; - - VIR_DEBUG("Mounting completed"); - - ret = 0; - -cleanup: - lxcContainerCGroupFree(mounts, nmounts); - VIR_FREE(cgroupRoot); - VIR_FREE(sec_mount_options); - return ret; -} - - static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) { char *newroot; @@ -2156,24 +2070,6 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) return 0; } -static int lxcContainerSetupMounts(virDomainDefPtr vmDef, - virDomainFSDefPtr root, - char **ttyPaths, - size_t nttyPaths, - virSecurityManagerPtr securityDriver) -{ - if (lxcContainerResolveSymlinks(vmDef) < 0) - return -1; - - if (root && root->src) - return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, - securityDriver); - else - return lxcContainerSetupExtraMounts(vmDef, root, - securityDriver); -} - - /* * This is running as the 'init' process insid the container. * It removes some capabilities that could be dangerous to @@ -2290,9 +2186,12 @@ static int lxcContainerChild(void *data) goto cleanup; } - if (lxcContainerSetupMounts(vmDef, root, - argv->ttyPaths, argv->nttyPaths, - argv->securityDriver) < 0) + if (lxcContainerResolveSymlinks(vmDef) < 0) + goto cleanup; + + if (lxcContainerSetupPivotRoot(vmDef, root, + argv->ttyPaths, argv->nttyPaths, + argv->securityDriver) < 0) goto cleanup; if (!virFileExists(vmDef->os.init)) { diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 39a6ea2..c300bb2 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm, return ret; } + +static int +virLXCProcessEnsureRootFS(virDomainObjPtr vm) +{ + virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def); + + if (root) + return 0; + + if (VIR_ALLOC(root) < 0) + goto no_memory; + + root->type = VIR_DOMAIN_FS_TYPE_MOUNT; + + if (!(root->src = strdup("/")) || + !(root->dst = strdup("/"))) + goto no_memory; + + if (VIR_EXPAND_N(vm->def->fss, + vm->def->nfss, 1) < 0) + goto no_memory; + + memmove(vm->def->fss + 1, + vm->def->fss, + vm->def->nfss * sizeof(virDomainFSDefPtr)); + vm->def->fss[0] = root; + + return 0; + +no_memory: + virReportOOMError(); + virDomainFSDefFree(root); + return -1; +} + /** * virLXCProcessStart: * @conn: pointer to connection @@ -1078,6 +1113,9 @@ int virLXCProcessStart(virConnectPtr conn, goto cleanup; } + if (virLXCProcessEnsureRootFS(vm) < 0) + goto cleanup; + /* Must be run before security labelling */ VIR_DEBUG("Preparing host devices"); if (virLXCPrepareHostDevices(driver, vm->def) < 0) -- 1.7.11.7
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 38 ++++++++++++++++ 2 files changed, 44 insertions(+), 107 deletions(-)
Nice cleanup!
+++ b/src/lxc/lxc_process.c @@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm, return ret; }
+ +static int +virLXCProcessEnsureRootFS(virDomainObjPtr vm) +{ + virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def); + + if (root) + return 0; + + if (VIR_ALLOC(root) < 0) + goto no_memory; + + root->type = VIR_DOMAIN_FS_TYPE_MOUNT; + + if (!(root->src = strdup("/")) || + !(root->dst = strdup("/"))) + goto no_memory;
Might be a fun merge conflict, depending on whether this or VIR_STRDUP gets merged first. :)
+ + if (VIR_EXPAND_N(vm->def->fss, + vm->def->nfss, 1) < 0) + goto no_memory; + + memmove(vm->def->fss + 1, + vm->def->fss, + vm->def->nfss * sizeof(virDomainFSDefPtr)); + vm->def->fss[0] = root;
Instead of VIR_EXPAND_N/memmove, you should use VIR_INSERT_ELEMENT. I like the concept of the patch, but I'm debating whether to ack this or require a v2 just so we make sure the VIR_INSERT_ELEMENT usage is correct. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Wed, Apr 03, 2013 at 11:17:30AM -0600, Eric Blake wrote:
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 38 ++++++++++++++++ 2 files changed, 44 insertions(+), 107 deletions(-)
Nice cleanup!
+++ b/src/lxc/lxc_process.c @@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm, return ret; }
+ +static int +virLXCProcessEnsureRootFS(virDomainObjPtr vm) +{ + virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def); + + if (root) + return 0; + + if (VIR_ALLOC(root) < 0) + goto no_memory; + + root->type = VIR_DOMAIN_FS_TYPE_MOUNT; + + if (!(root->src = strdup("/")) || + !(root->dst = strdup("/"))) + goto no_memory;
Might be a fun merge conflict, depending on whether this or VIR_STRDUP gets merged first. :)
+ + if (VIR_EXPAND_N(vm->def->fss, + vm->def->nfss, 1) < 0) + goto no_memory; + + memmove(vm->def->fss + 1, + vm->def->fss, + vm->def->nfss * sizeof(virDomainFSDefPtr)); + vm->def->fss[0] = root;
Instead of VIR_EXPAND_N/memmove, you should use VIR_INSERT_ELEMENT.
I like the concept of the patch, but I'm debating whether to ack this or require a v2 just so we make sure the VIR_INSERT_ELEMENT usage is correct.
I'll repost it Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: "Daniel P. Berrange" <berrange@redhat.com> Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 35 +++++++++++++++ 2 files changed, 41 insertions(+), 107 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 002dba1..002ba9e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -2049,92 +2049,6 @@ cleanup: } -/* Nothing mapped to /, we're using the main root, - but with extra stuff mapped in */ -static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef, - virDomainFSDefPtr root, - virSecurityManagerPtr securityDriver) -{ - int ret = -1; - struct lxcContainerCGroup *mounts = NULL; - size_t nmounts = 0; - char *cgroupRoot = NULL; - char *sec_mount_options; - - VIR_DEBUG("def=%p", vmDef); - - if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef))) - return -1; - - /* - * This makes sure that any new filesystems in the - * host OS propagate to the container, but any - * changes in the container are private - */ - if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) { - virReportSystemError(errno, "%s", - _("Failed to make / slave")); - goto cleanup; - } - - if (root && root->readonly) { - if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) { - virReportSystemError(errno, "%s", - _("Failed to make root readonly")); - goto cleanup; - } - } - - VIR_DEBUG("Mounting config FS"); - if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0) - goto cleanup; - - /* Before replacing /sys we need to identify any - * cgroups controllers that are mounted */ - if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0) - goto cleanup; - -#if WITH_SELINUX - /* Some versions of Linux kernel don't let you overmount - * the selinux filesystem, so make sure we kill it first - */ - if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0) - goto cleanup; -#endif - - /* Gets rid of any existing stuff under /proc, since we need new - * namespace aware versions of those. We must do /proc second - * otherwise we won't find /proc/mounts :-) */ - if (lxcContainerUnmountSubtree("/sys", false) < 0 || - lxcContainerUnmountSubtree("/proc", false) < 0) - goto cleanup; - - /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS(false, sec_mount_options) < 0) - goto cleanup; - - /* Mounts /proc/meminfo etc sysinfo */ - if (lxcContainerMountProcFuse(vmDef, NULL) < 0) - goto cleanup; - - /* Now we can re-mount the cgroups controllers in the - * same configuration as before */ - if (lxcContainerMountCGroups(mounts, nmounts, - cgroupRoot, sec_mount_options) < 0) - goto cleanup; - - VIR_DEBUG("Mounting completed"); - - ret = 0; - -cleanup: - lxcContainerCGroupFree(mounts, nmounts); - VIR_FREE(cgroupRoot); - VIR_FREE(sec_mount_options); - return ret; -} - - static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) { char *newroot; @@ -2156,24 +2070,6 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef) return 0; } -static int lxcContainerSetupMounts(virDomainDefPtr vmDef, - virDomainFSDefPtr root, - char **ttyPaths, - size_t nttyPaths, - virSecurityManagerPtr securityDriver) -{ - if (lxcContainerResolveSymlinks(vmDef) < 0) - return -1; - - if (root && root->src) - return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, - securityDriver); - else - return lxcContainerSetupExtraMounts(vmDef, root, - securityDriver); -} - - /* * This is running as the 'init' process insid the container. * It removes some capabilities that could be dangerous to @@ -2290,9 +2186,12 @@ static int lxcContainerChild(void *data) goto cleanup; } - if (lxcContainerSetupMounts(vmDef, root, - argv->ttyPaths, argv->nttyPaths, - argv->securityDriver) < 0) + if (lxcContainerResolveSymlinks(vmDef) < 0) + goto cleanup; + + if (lxcContainerSetupPivotRoot(vmDef, root, + argv->ttyPaths, argv->nttyPaths, + argv->securityDriver) < 0) goto cleanup; if (!virFileExists(vmDef->os.init)) { diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 39a6ea2..f2f66e4 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -981,6 +981,38 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm, return ret; } + +static int +virLXCProcessEnsureRootFS(virDomainObjPtr vm) +{ + virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def); + + if (root) + return 0; + + if (VIR_ALLOC(root) < 0) + goto no_memory; + + root->type = VIR_DOMAIN_FS_TYPE_MOUNT; + + if (!(root->src = strdup("/")) || + !(root->dst = strdup("/"))) + goto no_memory; + + if (VIR_INSERT_ELEMENT(vm->def->fss, + 0, + vm->def->nfss, + root) < 0) + goto no_memory; + + return 0; + +no_memory: + virReportOOMError(); + virDomainFSDefFree(root); + return -1; +} + /** * virLXCProcessStart: * @conn: pointer to connection @@ -1078,6 +1110,9 @@ int virLXCProcessStart(virConnectPtr conn, goto cleanup; } + if (virLXCProcessEnsureRootFS(vm) < 0) + goto cleanup; + /* Must be run before security labelling */ VIR_DEBUG("Preparing host devices"); if (virLXCPrepareHostDevices(driver, vm->def) < 0) -- 1.7.11.7
On 04/03/2013 02:15 PM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 35 +++++++++++++++ 2 files changed, 41 insertions(+), 107 deletions(-)
ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 2013/04/04 04:15, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Currently the LXC container code has two codepaths, depending on whether there is a <filesystem> element with a target path of '/'. If we automatically add a <filesystem> device with src=/ and dst=/, for any container which has not specified a root filesystem, then we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 113 +++--------------------------------------------- src/lxc/lxc_process.c | 35 +++++++++++++++ 2 files changed, 41 insertions(+), 107 deletions(-)
Looks clearer. ACK
From: "Daniel P. Berrange" <berrange@redhat.com> This reverts commit c9c87376f2b2197ad774533ad6a6dd2f631ca105. Now that we force all containers to have a root filesystem, there is no way the host's /dev is ever exposed Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_driver.c | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-) diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index ba14db7..654ab99 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -2778,19 +2778,13 @@ lxcDomainShutdownFlags(virDomainPtr dom, virLXCDriverPtr driver = dom->conn->privateData; virLXCDomainObjPrivatePtr priv; virDomainObjPtr vm; - virDomainFSDefPtr root; char *vroot = NULL; int ret = -1; - int rc = 0; - bool methodSignal; - bool methodInitctl; + int rc; virCheckFlags(VIR_DOMAIN_SHUTDOWN_INITCTL | VIR_DOMAIN_SHUTDOWN_SIGNAL, -1); - methodSignal = !!(flags & VIR_DOMAIN_SHUTDOWN_SIGNAL); - methodInitctl = !!(flags & VIR_DOMAIN_SHUTDOWN_INITCTL); - lxcDriverLock(driver); vm = virDomainObjListFindByUUID(driver->domains, dom->uuid); lxcDriverUnlock(driver); @@ -2804,7 +2798,6 @@ lxcDomainShutdownFlags(virDomainPtr dom, } priv = vm->privateData; - root = virDomainGetRootFilesystem(vm->def); if (!virDomainObjIsActive(vm)) { virReportError(VIR_ERR_OPERATION_INVALID, @@ -2824,31 +2817,27 @@ lxcDomainShutdownFlags(virDomainPtr dom, goto cleanup; } - if (root && root->src) { - if (flags == 0) - methodSignal = methodInitctl = true; - } else if (methodInitctl) { - virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", - _("Cannot shutdown container using initctl " - "without separated namespace")); - goto cleanup; - } else { - methodSignal = true; - } - - if (methodInitctl) { - rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_POWEROFF, vroot); - if (rc < 0) + if (flags == 0 || + (flags & VIR_DOMAIN_SHUTDOWN_INITCTL)) { + if ((rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_POWEROFF, + vroot)) < 0) { goto cleanup; - if (rc == 0 && !methodSignal) { + } + if (rc == 0 && flags != 0 && + ((flags & ~VIR_DOMAIN_SHUTDOWN_INITCTL) == 0)) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", _("Container does not provide an initctl pipe")); goto cleanup; } + } else { + rc = 0; } - if (rc == 0 && methodSignal) { - ret = kill(priv->initpid, SIGTERM); - if (ret < 0 && errno != ESRCH) { + + if (rc == 0 && + (flags == 0 || + (flags & VIR_DOMAIN_SHUTDOWN_SIGNAL))) { + if (kill(priv->initpid, SIGTERM) < 0 && + errno != ESRCH) { virReportSystemError(errno, _("Unable to send SIGTERM to init pid %llu"), (unsigned long long)priv->initpid); -- 1.7.11.7
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
This reverts commit c9c87376f2b2197ad774533ad6a6dd2f631ca105.
Now that we force all containers to have a root filesystem, there is no way the host's /dev is ever exposed
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_driver.c | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-)
ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Early on kernel support for private devpts was not widespread, so we had compatibiltiy codepaths. Such old kernels are not seriously used for LXC these days, so the compat code can go away
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_controller.c | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-)
ACK. We already reject compilation of LXC on RHEL 5 due to other configure-time checks; is this something worth turning into an additional configure test of whether a kernel is new enough, or are we okay with just leaving it as a runtime test? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Wed, Apr 03, 2013 at 10:59:04AM -0600, Eric Blake wrote:
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
Early on kernel support for private devpts was not widespread, so we had compatibiltiy codepaths. Such old kernels are not seriously used for LXC these days, so the compat code can go away
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_controller.c | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-)
ACK.
We already reject compilation of LXC on RHEL 5 due to other configure-time checks; is this something worth turning into an additional configure test of whether a kernel is new enough, or are we okay with just leaving it as a runtime test?
We can't ever check kernels during configure time, because you can't assume the build kernel matches the distro kernel. eg all Fedora builds are done in a host with a RHEL kernel Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 04/03/2013 11:12 AM, Daniel P. Berrange wrote:
We already reject compilation of LXC on RHEL 5 due to other configure-time checks; is this something worth turning into an additional configure test of whether a kernel is new enough, or are we okay with just leaving it as a runtime test?
We can't ever check kernels during configure time, because you can't assume the build kernel matches the distro kernel. eg all Fedora builds are done in a host with a RHEL kernel
configure-time tests for an added constant that affect whether compilation works are okay; but I can live with the fact that improvements that aren't detected by the compiler aren't worth hard-coding into a configure-time test (that is, runtime behavior of the kernel running configure is not necessarily a good indicator; only compile-time behavior is useful). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Gao feng