Skip to content

Instantly share code, notes, and snippets.

View alban's full-sized avatar

Alban Crequy alban

128 followers · 1 following
View GitHub Profile
@alban
alban / rename.c
Created March 10, 2015 11:21
rename.c
#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <unistd.h>
#include <sys/syscall.h> /* For SYS_xxx definitions */
#include <stdio.h>
#include <fcntl.h> /* Definition of AT_* constants */
#include <stdio.h>
@alban
alban / fchdir.c
Created March 11, 2015 12:27
fchdir.c - escaping chroot with file descriptors
/* Send or receive the file descriptor of "/"
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
@alban
alban / dind.sh
Created March 24, 2015 14:13
Run Docker in Rocket
docker2aci quay.io/alban/dind:dockerinrocket
actool patch-manifest --overwrite --capability=CAP_NET_ADMIN alban-dind-dockerinrocket.aci alban-dind-dockerinrocket-2.aci
scp alban-dind-dockerinrocket-2.aci core-01:/var/tmp/
DOCKER_DAEMON_ARGS='-D -s=overlay' /var/tmp/rkt --insecure-skip-verify run -inherit-env --interactive /var/tmp/alban-dind-dockerinrocket-2.aci
echo nameserver 10.0.2.3 > /etc/resolv.conf
docker run --rm busybox echo Yes it works
docker run --rm -t -i busybox
@alban
alban / 0004-nspawn-fallback-on-bind-mount-when-mknod-fails.patch
Created March 30, 2015 10:54
systemd v215 patch: nspawn: fallback on bind mount when mknod fails
From 293c726fb9036d977a77127bfaeadc610956e296 Mon Sep 17 00:00:00 2001
From: Alban Crequy <[email protected]>
Date: Sun, 29 Mar 2015 14:51:23 +0200
Subject: [PATCH 4/4] nspawn: fallback on bind mount when mknod fails
From: Alban Crequy <[email protected]>
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
@alban
alban / ci.md
Last active August 29, 2015 14:18
Public Continuous Integration Services for Open Source projects on GitHub

rkt/rkt#600

In order to run the tests autonatically at each PR, we need a continuous integration service hooked on GitHub. Rocket needs to be able to do bind mounts, change mount options (such as MS_REC|MS_SLAVE), create namespaces, mknod, mount cgroupfs.

Travis

Travis does not give CAP_SYS_ADMIN. So mounts are not allowed, creating new namespaces are not allowed.

clone(child_stack=0, flags=CLONE_NEWNS|0x2c000000|SIGCHLD) = -1 EPERM (Operation not permitted)
@alban
alban / test.go
Created May 20, 2015 10:35
testing unshare CLONE_FS in go routines
package main
import "fmt"
import "os"
import "time"
import "syscall"
import "runtime"
func thr() {
@alban
alban / rkt-stage1-file-lists.md
Last active August 29, 2015 14:22
rkt stage1: list of files for each flavor

flavor coreos

$ tar tvzf bin/stage1.aci
drwxr-xr-x 1000/1000         0 2015-06-05 09:12 rootfs
-rwxr-xr-x 1000/1000    750992 2015-06-05 09:12 rootfs/diagexec
-rwxr-xr-x 1000/1000    746896 2015-06-05 09:12 rootfs/enter
drwxr-xr-x 1000/1000         0 2015-06-05 09:12 rootfs/etc
-rw-r--r-- 1000/1000         4 2015-06-05 09:12 rootfs/etc/os-release
drwxr-xr-x 1000/1000         0 2015-06-05 09:12 rootfs/etc/rkt
drwxr-xr-x 1000/1000         0 2015-06-05 09:12 rootfs/etc/rkt/net.d
@alban
alban / rkt-stage1-host-file-copied-runtime.md
Last active August 29, 2015 14:22
rkt stage1, flavor=usr-from-host

List of files copied or modified at run-time by rkt

The .service, zoneinfo, /opt, /rkt files were obviously not copied from the host but created or modified at run-time. They just appear here because I use the command find so it prints everything...

Tested on Debian-Sid with systemd-v220. Of course, it's going to be a different list on a different distribution...

# pwd
/var/lib/rkt/pods/run/04ffd940-4597-4931-bae2-2d2a93a71d4c/overlay/sha512-8c2140d625b5f176ed176963e63acb1d99b9096cc37d88e3683bd083cfc2ba53/upper
@alban
alban / gist:1e0b47cf8ea13bd47786
Created July 29, 2015 11:49
alban@alban:~/go/src/github.com/coreos/rkt$ export RKT_STAGE1_USR_FROM=usr-from-host
alban@alban:~/go/src/github.com/coreos/rkt$ ./build
stage1 will pick binaries from the host at run-time
Building rkt (stage0)...
Building network plugins...
bridge
ipvlan
macvlan
veth
host-local
@alban
alban / gist:2b48df3936f1a99ddcd8
Created August 3, 2015 10:56
rkt_run_pod_manifest_test.go:513: Running 'run' test #8: /home/alban/go/src/github.com/coreos/rkt/build-rkt-0.7.0+git/bin/rkt --dir=/tmp/datadir-795765648 --local-config=/tmp/localdir-828622255 --system-config=/tmp/systemdir-984807746 run --mds-register=false --pod-manifest=/home/alban/go/src/github.com/coreos/rkt/build-rkt-0.7.0+git/tmp/functional-tests/test-tmp/rkt-test-manifest-109413868
rkt_run_pod_manifest_test.go:521: Expected "CPU Quota: 100" but not found: 2015/08/03 12:54:25 Preparing stage1
2015/08/03 12:54:26 Loading image sha512-44395c59b1383178ce07484a859ae9ab
2015/08/03 12:54:26 Writing pod manifest
2015/08/03 12:54:26 Setting up stage1
2015/08/03 12:54:26 Writing image manifest
2015/08/03 12:54:26 Wrote filesystem to /tmp/datadir-795765648/pods/run/d82a8043-d1b2-46fa-a9c4-35ccea493f9a
2015/08/03 12:54:26 Writing image manifest
2015/08/03 12:54:26 Pivoting to filesystem /tmp/datadir-795765648/pods/run/d82a8043-d1b2-46fa-a9c4-35ccea493f9a
2015/08/03 12:54:26 Execing /init