- 11 Nov, 2014 18 commits
-
-
Pavel Emelyanov authored
Make their name look similar. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
We have sanity check for zombie-with kids below, no need in additional. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
We scan threads and children list several times while freezing the tree, this is done to avoid race with new threads/kids appearing. Factor out the iterations code. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
To make the threads collect code be structured similar to children collect. This will also help in further patching. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Keeping the whole stat buf it too much information. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Right now it returns the whole struct stat which is excessive. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Not to spoil the global namespace and unify the kerndat data names. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Currently this test creates one process and wait it. So most part of the time this test has only one process without children. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
For other tests set of file descriptors can be changed Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com> Acked-by:
Andrew Vagin <avagin@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
Right now we push all the auxiliary arguments to parasite_infect_seized while 2 of them are only required to calculate the size of args area. Let's better keep track of required args size and get rid of excessive arguments to parasite_infect_seized(). Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
- 10 Nov, 2014 3 commits
-
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We need to know this to insert holes. Currently xfer->parent isn't initialized for remote sessions. In most cases it has a non-zero value, so generate_iovs() is called with has_parent = true. bash test/zdtm.sh -p -P -i 3 ns/transition/fork (00.000106) Error (sysctl.c:194): Can't open sysctl net/ipv4/tcp_wmem: No such file or directory (00.017048) 420: Error (image.c:231): Unable to open pagemap-420.img: No such file or directory (00.017065) 420: Error (image.c:231): Unable to open pages-420.img: No such file or directory (00.017090) 420: Error (page-read.c:73): No parent for snapshot pagemap (00.017290) 86: Error (cr-restore.c:1185): 420 exited, status=1 (00.017317) Error (cr-restore.c:1831): Restoring FAILED. v2: add a new command to open a page server. It's required to save backward compatibility. If someone tries to use an old version of page server, he will get an error. Reported-by: Mr Jenkins Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We do the same for other features. Here is an exception in case of the --ms option. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
- 09 Nov, 2014 1 commit
-
-
Pavel Emelyanov authored
ispathsub("/foo", "/") reports false. This is a corner case, as 2nd argument is not expected to end with /. Fix this and add comment about ispathsub() arguments assumptions. Reported-by:
Andrey Vagin <avagin@parallels.com> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
- 07 Nov, 2014 18 commits
-
-
Andrey Vagin authored
Restoring mount namespaces requires to create temporary directories in a test root. When tests execute in a new userns, they have non-zero gid and uid, so we need to grant permissions for them. v2: add +rx as well Reported-by: Mr Jenkins Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Pavel Emelyanov authored
When we validate the mount tree not to have overmounts we need to check one path to be the sub-path of another. Here's a helper for this. Signed-off-by:
Pavel Emelyanov <xemul@parallels.com> Acked-by:
Andrew Vagin <avagin@parallels.com>
-
Pavel Emelyanov authored
Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We enter into the target userns and try to enter in other namespaces. The "enter" operation requires CAP_SYS_ADMIN in a user namespace, where a taget namespace was created. Now if one or more namespaces were created in another userns, criu stops dumping and return an error. I want to find someone, who uses this configuration. In this case restore will be more complicated. Current version covers containers needs. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Sockets tests are excluded, because SO_RCVBUFFORCE and SO_SNDBUFFORCE are protected by CAP_NET_ADMIN tty*, pty* are excluded, because TIOCSLCKTRMIOS protected by CAP_SYS_ADMIN *ghost, *notify, *unlink* are excluded, because linkat(AT_EMPTY_PATH) are protected by CAP_DAC_READ_SEARCH v2: use a blacklist Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
v2: don't forget to initialize groups Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Here are two issues: 1. All mounts in a new user namespace are locked, so we need to create a new root mount. We need to bind-mount root to itself. 2. /proc and /sys must be mounted before umounting /proc and /sys which were inhereted. It's a security policy. """ Author: Eric W. Biederman <ebiederm@xmission.com> Date: Sun Mar 24 14:28:27 2013 -0700 userns: Restrict when proc and sysfs can be mounted Only allow unprivileged mounts of proc and sysfs if they are already mounted when the user namespace is created. """ Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Devices can not be created in a new user namespace. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
It is cleared when a process is forked in a new userns. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
In this patch we fill /proc/PID/uid_map and /proc/PID/gid_map for the root task. v2: initialize groups in a new namespace. Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com> v3: add a helper to initialize creds in a new userns v4: initialize userns creds in prepare_namespaces() Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
For that we need to save per-namespace mappings of user and group IDs. And all id-s for tasks and files are saved from the target user namespace. v2: move code into collect_namespaces() Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We are going to support user namespaces and uid-s will be converted accoding with userns mappings. v2: conver id-s for sockets too Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
It's unused now. v2: remove the proc_pid_stat_small struct too. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
It's a bad idea to a group of processes and only then check rights for this operation. We need to check permissions a soon as posible to reduce impacts in case of wrong permissions. In addtion criu doesn't to parse /proc/pid/state and gets all required infromation from /proc/pid/status. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
v2: don't leak FILE CID 73423 (#1 of 1): Resource leak (RESOURCE_LEAK) 15. leaked_storage: Variable f going out of scope leaks the storage it points to. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We get sig and pgid from a parasite, because we need to get them from a target pid namespace. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
We have two reason for that: * parsing of /proc/pid/status is slow * parasite returns ids from a target userns Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-
Andrey Vagin authored
Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
Pavel Emelyanov <xemul@parallels.com>
-