[vzctl] Initial fixes for F19.

Glauber Costa glauber at fedoraproject.org
Wed Apr 24 14:26:06 UTC 2013 

commit 16d3e9e7fd753bc3a773f9bf87e4169ef0e0a350
Author: Glauber Costa <glommer at gmail.com>
Date:   Wed Apr 24 18:26:24 2013 +0400

    Initial fixes for F19.
    
    Mostly discovered by internal testing, so no BZ
    
    Signed-off-by: Glauber Costa <glommer at gmail.com>

 ...x-pivot_root-failure-with-mount-namespace.patch |   85 ++++++++++++++++++++
 ...-upstream-to-safely-stop-container-when-s.patch |   31 +++++++
 vzctl.spec                                         |   13 +++-
 3 files changed, 127 insertions(+), 2 deletions(-)
---
diff --git a/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch b/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
new file mode 100644
index 0000000..e63ef90
--- /dev/null
+++ b/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
@@ -0,0 +1,85 @@
+From 571b8b894030653805689fdd6e4b91f54a75598b Mon Sep 17 00:00:00 2001
+From: Glauber Costa <glommer at parallels.com>
+Date: Tue, 26 Feb 2013 07:40:37 +0400
+Subject: [PATCH] hooks_ct: fix pivot_root failure with mount namespaces.
+
+Not only we don't need to call pivot_root when joining a mount namespace, we
+can't do it. This is because the filesystem we currently are will become
+invisible after we join the mount namespace. As a side effect, we are fully
+protected because we will only have the filesystem view of the newly joined
+namespace.
+
+Because setns support for mount namespaces are not always present, we need
+a flag do determine whether or not we've joined it. And because this is not
+needed outside this scope at all, we can resort to a local only flag instead
+of storing this information in the vps_handler
+
+Signed-off-by: Glauber Costa <glommer at parallels.com>
+---
+ src/lib/hooks_ct.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+Index: vzctl-4.1.1/src/lib/hooks_ct.c
+===================================================================
+--- vzctl-4.1.1.orig/src/lib/hooks_ct.c
++++ vzctl-4.1.1/src/lib/hooks_ct.c
+@@ -213,13 +213,14 @@ static int ct_env_create(struct arg_star
+ 	return 0;
+ }
+ 
+-static int __ct_enter(vps_handler *h, envid_t veid, int flags)
++static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
+ {
+ 	DIR *dp;
+ 	struct dirent *ep;
+ 	char path[STR_SIZE]; /* long enough for any pid */
+ 	pid_t task_pid;
+ 	int ret = VZ_RESOURCE_ERROR;
++	bool joined_mnt_ns = false;
+ 
+ 	if (!h->can_join_pidns) {
+ 		logger(-1, 0, "Kernel lacks setns for pid namespace");
+@@ -253,7 +254,22 @@ static int __ct_enter(vps_handler *h, en
+ 			goto out;
+ 		if (setns(fd, 0))
+ 			logger(-1, errno, "Failed to set context for %s", ep->d_name);
++
++		if (!strcmp(ep->d_name, "mnt"))
++			joined_mnt_ns = true;
+ 	}
++
++	/*
++	 * If we can join the mount namespace, we don't need to call
++	 * pivot_root, or any other follow up step, since we will already
++	 * inherit any fs tree structure the process already has.
++	 *
++	 * As a matter of fact, we won't even be able to see the container
++	 * directories to jump to
++	 */
++	if (!joined_mnt_ns && (ret = ct_chroot(root)))
++		return ret;
++
+ 	ret = 0;
+ 
+ 	if ((ret = container_add_task(veid))) {
+@@ -265,20 +281,6 @@ out:
+ 	return ret;
+ }
+ 
+-/*
+- * We need to do chroot only after the context is set. Otherwise, we can't find the proc files
+- * we need to operate on the ns files
+- */
+-static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
+-{
+-	int ret;
+-	if ((ret = __ct_enter(h, veid, flags)))
+-		return ret;
+-	if ((ret = ct_chroot(root)))
+-		return ret;
+-	return 0;
+-}
+-
+ #define add_value(val, var, mult) do { if (val) { var = *val * mult; } } while (0)
+ 
+ static int ct_setlimits(vps_handler *h, envid_t veid, struct ub_struct *ub)
diff --git a/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch b/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
new file mode 100644
index 0000000..ffff9c0
--- /dev/null
+++ b/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
@@ -0,0 +1,31 @@
+From 664cb6e123582e7e532adc72ee1a947da7b0d38b Mon Sep 17 00:00:00 2001
+From: Glauber Costa <glommer at parallels.com>
+Date: Tue, 26 Feb 2013 07:40:36 +0400
+Subject: [PATCH] vzctl: allow upstream to safely stop container when setns is
+ available
+
+The test preventing the execution of in-container reboot right now just
+checks whether or not we are running an upstream Linux Kernel. However,
+it is perfectly possible to gracefuly stop the container if joining the
+pid namespace is possible.
+
+Update the test to reflect that.
+
+Signed-off-by: Glauber Costa <glommer at parallels.com>
+---
+ src/lib/env.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: vzctl-4.1.1/src/lib/env.c
+===================================================================
+--- vzctl-4.1.1.orig/src/lib/env.c
++++ vzctl-4.1.1/src/lib/env.c
+@@ -790,7 +790,7 @@ static int env_stop(vps_handler *h, envi
+ 	if (stop_mode == M_KILL)
+ 		goto kill_vps;
+ 
+-	if (!is_vz_kernel(h)) {
++	if (!is_vz_kernel(h) && !h->can_join_pidns) {
+ 		logger(-1, 0, "Due to lack of proper support in this kernel, "
+ 		"container can't be cleanly\n"
+ 		"stopped from the host system. Please stop it from inside, "
diff --git a/vzctl.spec b/vzctl.spec
index 8f4e5ce..ce810a0 100644
--- a/vzctl.spec
+++ b/vzctl.spec
@@ -24,11 +24,13 @@
 Summary: OpenVZ containers control utility
 Name: vzctl
 Version: 4.1.1
-%define rel 3
-Release: %{rel}%{?dist}.1
+%define rel 4
+Release: %{rel}%{?dist}
 License: GPLv2+
 Group: System Environment/Kernel
 Source: http://download.openvz.org/utils/%{name}/%{version}/src/%{name}-%{version}.tar.bz2
+Patch0: 0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
+Patch1: 0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
 URL: http://openvz.org/
 
 # OpenVZ can run on its own kernel, and if that it is the case, some more
@@ -46,6 +48,7 @@ Requires: sed
 Requires: grep
 # requires for bash_completion and vps-download
 Requires: wget
+Requires: bridge-utils
 
 BuildRequires: libcgroup-devel >= 0.38
 
@@ -59,6 +62,8 @@ i.e. create, start, shutdown, set various options and limits etc.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 CFLAGS="$RPM_OPT_FLAGS" %configure \
@@ -192,6 +197,10 @@ ls $RPM_BUILD_ROOT/%{_mandir}/man8/
 
 
 %changelog
+* Wed Apr 24 2013 Glauber Costa <glommer at gmail.com> - 4.1.1-4
+- Include missing dependency for bridge-utils.
+- Fix problems with user and pid namespaces.
+
 * Fri Feb 15 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.1.1-3.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

More information about the scm-commits mailing list