[vzctl] Initial fixes for F19.
Glauber Costa
glauber at fedoraproject.org
Wed Apr 24 14:26:06 UTC 2013
commit 16d3e9e7fd753bc3a773f9bf87e4169ef0e0a350
Author: Glauber Costa <glommer at gmail.com>
Date: Wed Apr 24 18:26:24 2013 +0400
Initial fixes for F19.
Mostly discovered by internal testing, so no BZ
Signed-off-by: Glauber Costa <glommer at gmail.com>
...x-pivot_root-failure-with-mount-namespace.patch | 85 ++++++++++++++++++++
...-upstream-to-safely-stop-container-when-s.patch | 31 +++++++
vzctl.spec | 13 +++-
3 files changed, 127 insertions(+), 2 deletions(-)
---
diff --git a/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch b/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
new file mode 100644
index 0000000..e63ef90
--- /dev/null
+++ b/0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
@@ -0,0 +1,85 @@
+From 571b8b894030653805689fdd6e4b91f54a75598b Mon Sep 17 00:00:00 2001
+From: Glauber Costa <glommer at parallels.com>
+Date: Tue, 26 Feb 2013 07:40:37 +0400
+Subject: [PATCH] hooks_ct: fix pivot_root failure with mount namespaces.
+
+Not only we don't need to call pivot_root when joining a mount namespace, we
+can't do it. This is because the filesystem we currently are will become
+invisible after we join the mount namespace. As a side effect, we are fully
+protected because we will only have the filesystem view of the newly joined
+namespace.
+
+Because setns support for mount namespaces are not always present, we need
+a flag do determine whether or not we've joined it. And because this is not
+needed outside this scope at all, we can resort to a local only flag instead
+of storing this information in the vps_handler
+
+Signed-off-by: Glauber Costa <glommer at parallels.com>
+---
+ src/lib/hooks_ct.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+Index: vzctl-4.1.1/src/lib/hooks_ct.c
+===================================================================
+--- vzctl-4.1.1.orig/src/lib/hooks_ct.c
++++ vzctl-4.1.1/src/lib/hooks_ct.c
+@@ -213,13 +213,14 @@ static int ct_env_create(struct arg_star
+ return 0;
+ }
+
+-static int __ct_enter(vps_handler *h, envid_t veid, int flags)
++static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
+ {
+ DIR *dp;
+ struct dirent *ep;
+ char path[STR_SIZE]; /* long enough for any pid */
+ pid_t task_pid;
+ int ret = VZ_RESOURCE_ERROR;
++ bool joined_mnt_ns = false;
+
+ if (!h->can_join_pidns) {
+ logger(-1, 0, "Kernel lacks setns for pid namespace");
+@@ -253,7 +254,22 @@ static int __ct_enter(vps_handler *h, en
+ goto out;
+ if (setns(fd, 0))
+ logger(-1, errno, "Failed to set context for %s", ep->d_name);
++
++ if (!strcmp(ep->d_name, "mnt"))
++ joined_mnt_ns = true;
+ }
++
++ /*
++ * If we can join the mount namespace, we don't need to call
++ * pivot_root, or any other follow up step, since we will already
++ * inherit any fs tree structure the process already has.
++ *
++ * As a matter of fact, we won't even be able to see the container
++ * directories to jump to
++ */
++ if (!joined_mnt_ns && (ret = ct_chroot(root)))
++ return ret;
++
+ ret = 0;
+
+ if ((ret = container_add_task(veid))) {
+@@ -265,20 +281,6 @@ out:
+ return ret;
+ }
+
+-/*
+- * We need to do chroot only after the context is set. Otherwise, we can't find the proc files
+- * we need to operate on the ns files
+- */
+-static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
+-{
+- int ret;
+- if ((ret = __ct_enter(h, veid, flags)))
+- return ret;
+- if ((ret = ct_chroot(root)))
+- return ret;
+- return 0;
+-}
+-
+ #define add_value(val, var, mult) do { if (val) { var = *val * mult; } } while (0)
+
+ static int ct_setlimits(vps_handler *h, envid_t veid, struct ub_struct *ub)
diff --git a/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch b/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
new file mode 100644
index 0000000..ffff9c0
--- /dev/null
+++ b/0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
@@ -0,0 +1,31 @@
+From 664cb6e123582e7e532adc72ee1a947da7b0d38b Mon Sep 17 00:00:00 2001
+From: Glauber Costa <glommer at parallels.com>
+Date: Tue, 26 Feb 2013 07:40:36 +0400
+Subject: [PATCH] vzctl: allow upstream to safely stop container when setns is
+ available
+
+The test preventing the execution of in-container reboot right now just
+checks whether or not we are running an upstream Linux Kernel. However,
+it is perfectly possible to gracefuly stop the container if joining the
+pid namespace is possible.
+
+Update the test to reflect that.
+
+Signed-off-by: Glauber Costa <glommer at parallels.com>
+---
+ src/lib/env.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: vzctl-4.1.1/src/lib/env.c
+===================================================================
+--- vzctl-4.1.1.orig/src/lib/env.c
++++ vzctl-4.1.1/src/lib/env.c
+@@ -790,7 +790,7 @@ static int env_stop(vps_handler *h, envi
+ if (stop_mode == M_KILL)
+ goto kill_vps;
+
+- if (!is_vz_kernel(h)) {
++ if (!is_vz_kernel(h) && !h->can_join_pidns) {
+ logger(-1, 0, "Due to lack of proper support in this kernel, "
+ "container can't be cleanly\n"
+ "stopped from the host system. Please stop it from inside, "
diff --git a/vzctl.spec b/vzctl.spec
index 8f4e5ce..ce810a0 100644
--- a/vzctl.spec
+++ b/vzctl.spec
@@ -24,11 +24,13 @@
Summary: OpenVZ containers control utility
Name: vzctl
Version: 4.1.1
-%define rel 3
-Release: %{rel}%{?dist}.1
+%define rel 4
+Release: %{rel}%{?dist}
License: GPLv2+
Group: System Environment/Kernel
Source: http://download.openvz.org/utils/%{name}/%{version}/src/%{name}-%{version}.tar.bz2
+Patch0: 0001-vzctl-allow-upstream-to-safely-stop-container-when-s.patch
+Patch1: 0001-hooks_ct-fix-pivot_root-failure-with-mount-namespace.patch
URL: http://openvz.org/
# OpenVZ can run on its own kernel, and if that it is the case, some more
@@ -46,6 +48,7 @@ Requires: sed
Requires: grep
# requires for bash_completion and vps-download
Requires: wget
+Requires: bridge-utils
BuildRequires: libcgroup-devel >= 0.38
@@ -59,6 +62,8 @@ i.e. create, start, shutdown, set various options and limits etc.
%prep
%setup -q
+%patch0 -p1
+%patch1 -p1
%build
CFLAGS="$RPM_OPT_FLAGS" %configure \
@@ -192,6 +197,10 @@ ls $RPM_BUILD_ROOT/%{_mandir}/man8/
%changelog
+* Wed Apr 24 2013 Glauber Costa <glommer at gmail.com> - 4.1.1-4
+- Include missing dependency for bridge-utils.
+- Fix problems with user and pid namespaces.
+
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.1.1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
More information about the scm-commits
mailing list