11:02 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Early on kernel support for private devpts was not widespread,
so we had compatibiltiy codepaths. Such old kernels are not
seriously used for LXC these days, so the compat code can go
away
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_controller.c | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 1d1443c..cede445 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1252,8 +1252,9 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
}
if (access(ctrl->devptmx, R_OK) < 0) {
- VIR_WARN("Kernel does not support private devpts, using shared
devpts");
- VIR_FREE(ctrl->devptmx);
+ virReportSystemError(ENOSYS, "%s",
+ _("Kernel does not support private devpts"));
+ goto cleanup;
}
ret = 0;
@@ -1278,24 +1279,13 @@ virLXCControllerSetupConsoles(virLXCControllerPtr ctrl,
size_t i;
for (i = 0 ; i < ctrl->nconsoles ; i++) {
- if (ctrl->devptmx) {
- VIR_DEBUG("Opening tty on private %s", ctrl->devptmx);
- if (lxcCreateTty(ctrl->devptmx,
- &ctrl->consoles[i].contFd,
- &containerTTYPaths[i]) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to allocate tty"));
- return -1;
- }
- } else {
- VIR_DEBUG("Opening tty on shared /dev/ptmx");
- if (virFileOpenTty(&ctrl->consoles[i].contFd,
- &containerTTYPaths[i],
- 0) < 0) {
- virReportSystemError(errno, "%s",
+ VIR_DEBUG("Opening tty on private %s", ctrl->devptmx);
+ if (lxcCreateTty(ctrl->devptmx,
+ &ctrl->consoles[i].contFd,
+ &containerTTYPaths[i]) < 0) {
+ virReportSystemError(errno, "%s",
_("Failed to allocate tty"));
- return -1;
- }
+ return -1;
}
}
return 0;
--
1.7.11.7
11:02 a.m.
New subject: [libvirt] [PATCH 2/3] Auto-add a root <filesystem> element to LXC containers on startup
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 113 +++---------------------------------------------
src/lxc/lxc_process.c | 38 ++++++++++++++++
2 files changed, 44 insertions(+), 107 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 002dba1..002ba9e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -2049,92 +2049,6 @@ cleanup:
}
-/* Nothing mapped to /, we're using the main root,
- but with extra stuff mapped in */
-static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
- virDomainFSDefPtr root,
- virSecurityManagerPtr securityDriver)
-{
- int ret = -1;
- struct lxcContainerCGroup *mounts = NULL;
- size_t nmounts = 0;
- char *cgroupRoot = NULL;
- char *sec_mount_options;
-
- VIR_DEBUG("def=%p", vmDef);
-
- if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef)))
- return -1;
-
- /*
- * This makes sure that any new filesystems in the
- * host OS propagate to the container, but any
- * changes in the container are private
- */
- if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to make / slave"));
- goto cleanup;
- }
-
- if (root && root->readonly) {
- if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT,
NULL) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to make root readonly"));
- goto cleanup;
- }
- }
-
- VIR_DEBUG("Mounting config FS");
- if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0)
- goto cleanup;
-
- /* Before replacing /sys we need to identify any
- * cgroups controllers that are mounted */
- if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
- goto cleanup;
-
-#if WITH_SELINUX
- /* Some versions of Linux kernel don't let you overmount
- * the selinux filesystem, so make sure we kill it first
- */
- if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
- goto cleanup;
-#endif
-
- /* Gets rid of any existing stuff under /proc, since we need new
- * namespace aware versions of those. We must do /proc second
- * otherwise we won't find /proc/mounts :-) */
- if (lxcContainerUnmountSubtree("/sys", false) < 0 ||
- lxcContainerUnmountSubtree("/proc", false) < 0)
- goto cleanup;
-
- /* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(false, sec_mount_options) < 0)
- goto cleanup;
-
- /* Mounts /proc/meminfo etc sysinfo */
- if (lxcContainerMountProcFuse(vmDef, NULL) < 0)
- goto cleanup;
-
- /* Now we can re-mount the cgroups controllers in the
- * same configuration as before */
- if (lxcContainerMountCGroups(mounts, nmounts,
- cgroupRoot, sec_mount_options) < 0)
- goto cleanup;
-
- VIR_DEBUG("Mounting completed");
-
- ret = 0;
-
-cleanup:
- lxcContainerCGroupFree(mounts, nmounts);
- VIR_FREE(cgroupRoot);
- VIR_FREE(sec_mount_options);
- return ret;
-}
-
-
static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
{
char *newroot;
@@ -2156,24 +2070,6 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
return 0;
}
-static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
- virDomainFSDefPtr root,
- char **ttyPaths,
- size_t nttyPaths,
- virSecurityManagerPtr securityDriver)
-{
- if (lxcContainerResolveSymlinks(vmDef) < 0)
- return -1;
-
- if (root && root->src)
- return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths,
- securityDriver);
- else
- return lxcContainerSetupExtraMounts(vmDef, root,
- securityDriver);
-}
-
-
/*
* This is running as the 'init' process insid the container.
* It removes some capabilities that could be dangerous to
@@ -2290,9 +2186,12 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
- if (lxcContainerSetupMounts(vmDef, root,
- argv->ttyPaths, argv->nttyPaths,
- argv->securityDriver) < 0)
+ if (lxcContainerResolveSymlinks(vmDef) < 0)
+ goto cleanup;
+
+ if (lxcContainerSetupPivotRoot(vmDef, root,
+ argv->ttyPaths, argv->nttyPaths,
+ argv->securityDriver) < 0)
goto cleanup;
if (!virFileExists(vmDef->os.init)) {
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 39a6ea2..c300bb2 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm,
return ret;
}
+
+static int
+virLXCProcessEnsureRootFS(virDomainObjPtr vm)
+{
+ virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def);
+
+ if (root)
+ return 0;
+
+ if (VIR_ALLOC(root) < 0)
+ goto no_memory;
+
+ root->type = VIR_DOMAIN_FS_TYPE_MOUNT;
+
+ if (!(root->src = strdup("/")) ||
+ !(root->dst = strdup("/")))
+ goto no_memory;
+
+ if (VIR_EXPAND_N(vm->def->fss,
+ vm->def->nfss, 1) < 0)
+ goto no_memory;
+
+ memmove(vm->def->fss + 1,
+ vm->def->fss,
+ vm->def->nfss * sizeof(virDomainFSDefPtr));
+ vm->def->fss[0] = root;
+
+ return 0;
+
+no_memory:
+ virReportOOMError();
+ virDomainFSDefFree(root);
+ return -1;
+}
+
/**
* virLXCProcessStart:
* @conn: pointer to connection
@@ -1078,6 +1113,9 @@ int virLXCProcessStart(virConnectPtr conn,
goto cleanup;
}
+ if (virLXCProcessEnsureRootFS(vm) < 0)
+ goto cleanup;
+
/* Must be run before security labelling */
VIR_DEBUG("Preparing host devices");
if (virLXCPrepareHostDevices(driver, vm->def) < 0)
--
1.7.11.7
12:17 p.m.
New subject: [libvirt] [PATCH 2/3] Auto-add a root <filesystem> element to LXC containers on startup
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 113 +++---------------------------------------------
src/lxc/lxc_process.c | 38 ++++++++++++++++
2 files changed, 44 insertions(+), 107 deletions(-)
Nice cleanup!
+++ b/src/lxc/lxc_process.c
@@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm,
return ret;
}
+
+static int
+virLXCProcessEnsureRootFS(virDomainObjPtr vm)
+{
+ virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def);
+
+ if (root)
+ return 0;
+
+ if (VIR_ALLOC(root) < 0)
+ goto no_memory;
+
+ root->type = VIR_DOMAIN_FS_TYPE_MOUNT;
+
+ if (!(root->src = strdup("/")) ||
+ !(root->dst = strdup("/")))
+ goto no_memory;
Might be a fun merge conflict, depending on whether this or VIR_STRDUP
gets merged first. :)
+
+ if (VIR_EXPAND_N(vm->def->fss,
+ vm->def->nfss, 1) < 0)
+ goto no_memory;
+
+ memmove(vm->def->fss + 1,
+ vm->def->fss,
+ vm->def->nfss * sizeof(virDomainFSDefPtr));
+ vm->def->fss[0] = root;
Instead of VIR_EXPAND_N/memmove, you should use VIR_INSERT_ELEMENT.
I like the concept of the patch, but I'm debating whether to ack this or
require a v2 just so we make sure the VIR_INSERT_ELEMENT usage is correct.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:26 p.m.
New subject: [libvirt] [PATCH 2/3] Auto-add a root <filesystem> element to LXC containers on startup
On Wed, Apr 03, 2013 at 11:17:30AM -0600, Eric Blake wrote:
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> Currently the LXC container code has two codepaths, depending on
> whether there is a <filesystem> element with a target path of '/'.
> If we automatically add a <filesystem> device with src=/ and dst=/,
> for any container which has not specified a root filesystem, then
> we only need one codepath for setting up the filesystem.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> src/lxc/lxc_container.c | 113 +++---------------------------------------------
> src/lxc/lxc_process.c | 38 ++++++++++++++++
> 2 files changed, 44 insertions(+), 107 deletions(-)
Nice cleanup!
> +++ b/src/lxc/lxc_process.c
> @@ -981,6 +981,41 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm,
> return ret;
> }
>
> +
> +static int
> +virLXCProcessEnsureRootFS(virDomainObjPtr vm)
> +{
> + virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def);
> +
> + if (root)
> + return 0;
> +
> + if (VIR_ALLOC(root) < 0)
> + goto no_memory;
> +
> + root->type = VIR_DOMAIN_FS_TYPE_MOUNT;
> +
> + if (!(root->src = strdup("/")) ||
> + !(root->dst = strdup("/")))
> + goto no_memory;
Might be a fun merge conflict, depending on whether this or VIR_STRDUP
gets merged first. :)
> +
> + if (VIR_EXPAND_N(vm->def->fss,
> + vm->def->nfss, 1) < 0)
> + goto no_memory;
> +
> + memmove(vm->def->fss + 1,
> + vm->def->fss,
> + vm->def->nfss * sizeof(virDomainFSDefPtr));
> + vm->def->fss[0] = root;
Instead of VIR_EXPAND_N/memmove, you should use VIR_INSERT_ELEMENT.
I like the concept of the patch, but I'm debating whether to ack this or
require a v2 just so we make sure the VIR_INSERT_ELEMENT usage is correct.
I'll repost it
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
3:15 p.m.
New subject: [libvirt] [PATCH v2 2/3] Auto-add a root <filesystem> element to LXC containers on startup
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 113 +++---------------------------------------------
src/lxc/lxc_process.c | 35 +++++++++++++++
2 files changed, 41 insertions(+), 107 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 002dba1..002ba9e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -2049,92 +2049,6 @@ cleanup:
}
-/* Nothing mapped to /, we're using the main root,
- but with extra stuff mapped in */
-static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
- virDomainFSDefPtr root,
- virSecurityManagerPtr securityDriver)
-{
- int ret = -1;
- struct lxcContainerCGroup *mounts = NULL;
- size_t nmounts = 0;
- char *cgroupRoot = NULL;
- char *sec_mount_options;
-
- VIR_DEBUG("def=%p", vmDef);
-
- if (!(sec_mount_options = virSecurityManagerGetMountOptions(securityDriver, vmDef)))
- return -1;
-
- /*
- * This makes sure that any new filesystems in the
- * host OS propagate to the container, but any
- * changes in the container are private
- */
- if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to make / slave"));
- goto cleanup;
- }
-
- if (root && root->readonly) {
- if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT,
NULL) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to make root readonly"));
- goto cleanup;
- }
- }
-
- VIR_DEBUG("Mounting config FS");
- if (lxcContainerMountAllFS(vmDef, "", false, sec_mount_options) < 0)
- goto cleanup;
-
- /* Before replacing /sys we need to identify any
- * cgroups controllers that are mounted */
- if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
- goto cleanup;
-
-#if WITH_SELINUX
- /* Some versions of Linux kernel don't let you overmount
- * the selinux filesystem, so make sure we kill it first
- */
- if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
- goto cleanup;
-#endif
-
- /* Gets rid of any existing stuff under /proc, since we need new
- * namespace aware versions of those. We must do /proc second
- * otherwise we won't find /proc/mounts :-) */
- if (lxcContainerUnmountSubtree("/sys", false) < 0 ||
- lxcContainerUnmountSubtree("/proc", false) < 0)
- goto cleanup;
-
- /* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS(false, sec_mount_options) < 0)
- goto cleanup;
-
- /* Mounts /proc/meminfo etc sysinfo */
- if (lxcContainerMountProcFuse(vmDef, NULL) < 0)
- goto cleanup;
-
- /* Now we can re-mount the cgroups controllers in the
- * same configuration as before */
- if (lxcContainerMountCGroups(mounts, nmounts,
- cgroupRoot, sec_mount_options) < 0)
- goto cleanup;
-
- VIR_DEBUG("Mounting completed");
-
- ret = 0;
-
-cleanup:
- lxcContainerCGroupFree(mounts, nmounts);
- VIR_FREE(cgroupRoot);
- VIR_FREE(sec_mount_options);
- return ret;
-}
-
-
static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
{
char *newroot;
@@ -2156,24 +2070,6 @@ static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
return 0;
}
-static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
- virDomainFSDefPtr root,
- char **ttyPaths,
- size_t nttyPaths,
- virSecurityManagerPtr securityDriver)
-{
- if (lxcContainerResolveSymlinks(vmDef) < 0)
- return -1;
-
- if (root && root->src)
- return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths,
- securityDriver);
- else
- return lxcContainerSetupExtraMounts(vmDef, root,
- securityDriver);
-}
-
-
/*
* This is running as the 'init' process insid the container.
* It removes some capabilities that could be dangerous to
@@ -2290,9 +2186,12 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
- if (lxcContainerSetupMounts(vmDef, root,
- argv->ttyPaths, argv->nttyPaths,
- argv->securityDriver) < 0)
+ if (lxcContainerResolveSymlinks(vmDef) < 0)
+ goto cleanup;
+
+ if (lxcContainerSetupPivotRoot(vmDef, root,
+ argv->ttyPaths, argv->nttyPaths,
+ argv->securityDriver) < 0)
goto cleanup;
if (!virFileExists(vmDef->os.init)) {
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 39a6ea2..f2f66e4 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -981,6 +981,38 @@ virLXCProcessReadLogOutput(virDomainObjPtr vm,
return ret;
}
+
+static int
+virLXCProcessEnsureRootFS(virDomainObjPtr vm)
+{
+ virDomainFSDefPtr root = virDomainGetRootFilesystem(vm->def);
+
+ if (root)
+ return 0;
+
+ if (VIR_ALLOC(root) < 0)
+ goto no_memory;
+
+ root->type = VIR_DOMAIN_FS_TYPE_MOUNT;
+
+ if (!(root->src = strdup("/")) ||
+ !(root->dst = strdup("/")))
+ goto no_memory;
+
+ if (VIR_INSERT_ELEMENT(vm->def->fss,
+ 0,
+ vm->def->nfss,
+ root) < 0)
+ goto no_memory;
+
+ return 0;
+
+no_memory:
+ virReportOOMError();
+ virDomainFSDefFree(root);
+ return -1;
+}
+
/**
* virLXCProcessStart:
* @conn: pointer to connection
@@ -1078,6 +1110,9 @@ int virLXCProcessStart(virConnectPtr conn,
goto cleanup;
}
+ if (virLXCProcessEnsureRootFS(vm) < 0)
+ goto cleanup;
+
/* Must be run before security labelling */
VIR_DEBUG("Preparing host devices");
if (virLXCPrepareHostDevices(driver, vm->def) < 0)
--
1.7.11.7
3:51 p.m.
New subject: [libvirt] [PATCH v2 2/3] Auto-add a root <filesystem> element to LXC containers on startup
On 04/03/2013 02:15 PM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 113 +++---------------------------------------------
src/lxc/lxc_process.c | 35 +++++++++++++++
2 files changed, 41 insertions(+), 107 deletions(-)
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
9:30 p.m.
New subject: [libvirt] [PATCH v2 2/3] Auto-add a root <filesystem> element to LXC containers on startup
On 2013/04/04 04:15, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently the LXC container code has two codepaths, depending on
whether there is a <filesystem> element with a target path of '/'.
If we automatically add a <filesystem> device with src=/ and dst=/,
for any container which has not specified a root filesystem, then
we only need one codepath for setting up the filesystem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 113 +++---------------------------------------------
src/lxc/lxc_process.c | 35 +++++++++++++++
2 files changed, 41 insertions(+), 107 deletions(-)
Looks clearer.
ACK
11:02 a.m.
New subject: [libvirt] [PATCH 3/3] Revert "lxc: Prevent shutting down the host"
From: "Daniel P. Berrange" <berrange(a)redhat.com>
This reverts commit c9c87376f2b2197ad774533ad6a6dd2f631ca105.
Now that we force all containers to have a root filesystem,
there is no way the host's /dev is ever exposed
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_driver.c | 43 ++++++++++++++++---------------------------
1 file changed, 16 insertions(+), 27 deletions(-)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index ba14db7..654ab99 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -2778,19 +2778,13 @@ lxcDomainShutdownFlags(virDomainPtr dom,
virLXCDriverPtr driver = dom->conn->privateData;
virLXCDomainObjPrivatePtr priv;
virDomainObjPtr vm;
- virDomainFSDefPtr root;
char *vroot = NULL;
int ret = -1;
- int rc = 0;
- bool methodSignal;
- bool methodInitctl;
+ int rc;
virCheckFlags(VIR_DOMAIN_SHUTDOWN_INITCTL |
VIR_DOMAIN_SHUTDOWN_SIGNAL, -1);
- methodSignal = !!(flags & VIR_DOMAIN_SHUTDOWN_SIGNAL);
- methodInitctl = !!(flags & VIR_DOMAIN_SHUTDOWN_INITCTL);
-
lxcDriverLock(driver);
vm = virDomainObjListFindByUUID(driver->domains, dom->uuid);
lxcDriverUnlock(driver);
@@ -2804,7 +2798,6 @@ lxcDomainShutdownFlags(virDomainPtr dom,
}
priv = vm->privateData;
- root = virDomainGetRootFilesystem(vm->def);
if (!virDomainObjIsActive(vm)) {
virReportError(VIR_ERR_OPERATION_INVALID,
@@ -2824,31 +2817,27 @@ lxcDomainShutdownFlags(virDomainPtr dom,
goto cleanup;
}
- if (root && root->src) {
- if (flags == 0)
- methodSignal = methodInitctl = true;
- } else if (methodInitctl) {
- virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
- _("Cannot shutdown container using initctl "
- "without separated namespace"));
- goto cleanup;
- } else {
- methodSignal = true;
- }
-
- if (methodInitctl) {
- rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_POWEROFF, vroot);
- if (rc < 0)
+ if (flags == 0 ||
+ (flags & VIR_DOMAIN_SHUTDOWN_INITCTL)) {
+ if ((rc = virInitctlSetRunLevel(VIR_INITCTL_RUNLEVEL_POWEROFF,
+ vroot)) < 0) {
goto cleanup;
- if (rc == 0 && !methodSignal) {
+ }
+ if (rc == 0 && flags != 0 &&
+ ((flags & ~VIR_DOMAIN_SHUTDOWN_INITCTL) == 0)) {
virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
_("Container does not provide an initctl pipe"));
goto cleanup;
}
+ } else {
+ rc = 0;
}
- if (rc == 0 && methodSignal) {
- ret = kill(priv->initpid, SIGTERM);
- if (ret < 0 && errno != ESRCH) {
+
+ if (rc == 0 &&
+ (flags == 0 ||
+ (flags & VIR_DOMAIN_SHUTDOWN_SIGNAL))) {
+ if (kill(priv->initpid, SIGTERM) < 0 &&
+ errno != ESRCH) {
virReportSystemError(errno,
_("Unable to send SIGTERM to init pid %llu"),
(unsigned long long)priv->initpid);
--
1.7.11.7
12:01 p.m.
New subject: [libvirt] [PATCH 3/3] Revert "lxc: Prevent shutting down the host"
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
This reverts commit c9c87376f2b2197ad774533ad6a6dd2f631ca105.
Now that we force all containers to have a root filesystem,
there is no way the host's /dev is ever exposed
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_driver.c | 43 ++++++++++++++++---------------------------
1 file changed, 16 insertions(+), 27 deletions(-)
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
11:59 a.m.
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Early on kernel support for private devpts was not widespread,
so we had compatibiltiy codepaths. Such old kernels are not
seriously used for LXC these days, so the compat code can go
away
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_controller.c | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
ACK.
We already reject compilation of LXC on RHEL 5 due to other
configure-time checks; is this something worth turning into an
additional configure test of whether a kernel is new enough, or are we
okay with just leaving it as a runtime test?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:12 p.m.
On Wed, Apr 03, 2013 at 10:59:04AM -0600, Eric Blake wrote:
On 04/03/2013 10:02 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> Early on kernel support for private devpts was not widespread,
> so we had compatibiltiy codepaths. Such old kernels are not
> seriously used for LXC these days, so the compat code can go
> away
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> src/lxc/lxc_controller.c | 28 +++++++++-------------------
> 1 file changed, 9 insertions(+), 19 deletions(-)
ACK.
We already reject compilation of LXC on RHEL 5 due to other
configure-time checks; is this something worth turning into an
additional configure test of whether a kernel is new enough, or are we
okay with just leaving it as a runtime test?
We can't ever check kernels during configure time, because you can't
assume the build kernel matches the distro kernel. eg all Fedora builds
are done in a host with a RHEL kernel
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
12:33 p.m.
On 04/03/2013 11:12 AM, Daniel P. Berrange wrote:
> We already reject compilation of LXC on RHEL 5 due to other
> configure-time checks; is this something worth turning into an
> additional configure test of whether a kernel is new enough, or are we
> okay with just leaving it as a runtime test?
We can't ever check kernels during configure time, because you can't
assume the build kernel matches the distro kernel. eg all Fedora builds
are done in a host with a RHEL kernel
configure-time tests for an added constant that affect whether
compilation works are okay; but I can live with the fact that
improvements that aren't detected by the compiler aren't worth
hard-coding into a configure-time test (that is, runtime behavior of the
kernel running configure is not necessarily a good indicator; only
compile-time behavior is useful).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4296
days inactive
4298
days old
11 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Gao feng