- dev - passt

[PATCH 0/2] Introduce --log-fd option
by Michal Privoznik 07 Jun '23

07 Jun '23

The idea behind this is so that libvirt can create the log file, set all DAC/SELinux labels and just pass pre-opened FD to passt. You can view my WIP patches for libvirt here: https://gitlab.com/MichalPrivoznik/libvirt/-/commit/5bbe40087d6888a7c4031a2… Michal Privoznik (2): util: Introduce set_cloexec() conf, log: Introduce --log-fd option conf.c | 29 +++++++++++++++++++++++++---- log.c | 17 ++++++++++++----- log.h | 2 +- passt.1 | 5 +++++ util.c | 17 +++++++++++++++++ util.h | 1 + 6 files changed, 61 insertions(+), 10 deletions(-) -- 2.39.3

3 7

[PATCH v2] conf, log: On -h / --help, print usage to stdout, not stderr
by Stefano Brivio 05 Jun '23

05 Jun '23

Erik suggests that this makes it easier to grep for options, and with --help we're anyway printing usage information as expected, not as part of an error report. While at it: on -h, we should exit with 0. Reported-by: Erik Sjölund <erik.sjolund(a)gmail.com> Link: https://bugs.passt.top/show_bug.cgi?id=52 Link: https://bugs.passt.top/show_bug.cgi?id=53 Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- v2: Exit with 0, non with 1 as also reported by Erik conf.c | 23 ++++++++++++++++++----- log.c | 8 +++++--- log.h | 1 + 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/conf.c b/conf.c index ffff235..87dec50 100644 --- a/conf.c +++ b/conf.c @@ -717,10 +717,11 @@ static unsigned int conf_ip6(unsigned int ifi, } /** - * usage() - Print usage and exit + * print_usage() - Print usage, exit with given status code * @name: Executable name + * @status: Status code for exit() */ -static void usage(const char *name) +static void print_usage(const char *name, int status) { if (strstr(name, "pasta")) { info("Usage: %s [OPTION]... [COMMAND] [ARGS]...", name); @@ -856,7 +857,7 @@ static void usage(const char *name) info( " SPEC is as described for TCP above"); info( " default: none"); - exit(EXIT_FAILURE); + exit(status); pasta_opts: @@ -906,7 +907,16 @@ pasta_opts: info( " Don't copy all addresses to namespace"); info( " --ns-mac-addr ADDR Set MAC address on tap interface"); - exit(EXIT_FAILURE); + exit(status); +} + +/** + * usage() - Print usage and exit with failure + * @name: Executable name + */ +static void usage(const char *name) +{ + print_usage(name, EXIT_FAILURE); } /** @@ -1630,8 +1640,11 @@ void conf(struct ctx *c, int argc, char **argv) case 'U': /* Handle these later, once addresses are configured */ break; - case '?': case 'h': + log_to_stdout = 1; + print_usage(argv[0], EXIT_SUCCESS); + break; + case '?': default: usage(argv[0]); break; diff --git a/log.c b/log.c index 3a3d101..63d7801 100644 --- a/log.c +++ b/log.c @@ -43,17 +43,19 @@ static char log_header[BUFSIZ]; /* File header, written back on cuts */ static time_t log_start; /* Start timestamp */ int log_trace; /* --trace mode enabled */ +int log_to_stdout; /* Print to stdout instead of stderr */ #define BEFORE_DAEMON (setlogmask(0) == LOG_MASK(LOG_EMERG)) #define logfn(name, level) \ void name(const char *format, ...) { \ + FILE *out = log_to_stdout ? stdout : stderr; \ struct timespec tp; \ va_list args; \ \ if (setlogmask(0) & LOG_MASK(LOG_DEBUG) && log_file == -1) { \ clock_gettime(CLOCK_REALTIME, &tp); \ - fprintf(stderr, "%lli.%04lli: ", \ + fprintf(out, "%lli.%04lli: ", \ (long long int)tp.tv_sec - log_start, \ (long long int)tp.tv_nsec / (100L * 1000)); \ } \ @@ -70,10 +72,10 @@ void name(const char *format, ...) { \ if ((setlogmask(0) & LOG_MASK(LOG_DEBUG) && log_file == -1) || \ (BEFORE_DAEMON && !(log_opt & LOG_PERROR))) { \ va_start(args, format); \ - (void)vfprintf(stderr, format, args); \ + (void)vfprintf(out, format, args); \ va_end(args); \ if (format[strlen(format)] != '\n') \ - fprintf(stderr, "\n"); \ + fprintf(out, "\n"); \ } \ } diff --git a/log.h b/log.h index 3aab29d..a17171a 100644 --- a/log.h +++ b/log.h @@ -22,6 +22,7 @@ void debug(const char *format, ...); } while (0) extern int log_trace; +extern int log_to_stdout; void trace_init(int enable); #define trace(...) \ do { \ -- 2.39.2

2 1

[PATCH] conf, log: On -h / --help, print usage to stdout, not stderr
by Stefano Brivio 05 Jun '23

05 Jun '23

Erik suggests that this makes it easier to grep for options, and with --help we're anyway printing usage information as expected, not as part of an error report. Reported-by: Erik Sjölund <erik.sjolund(a)gmail.com> Link: https://bugs.passt.top/show_bug.cgi?id=52 Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- conf.c | 4 +++- log.c | 8 +++++--- log.h | 1 + 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/conf.c b/conf.c index ffff235..9eb6992 100644 --- a/conf.c +++ b/conf.c @@ -1630,8 +1630,10 @@ void conf(struct ctx *c, int argc, char **argv) case 'U': /* Handle these later, once addresses are configured */ break; - case '?': case 'h': + log_to_stdout = 1; + /* Falls through */ + case '?': default: usage(argv[0]); break; diff --git a/log.c b/log.c index 3a3d101..63d7801 100644 --- a/log.c +++ b/log.c @@ -43,17 +43,19 @@ static char log_header[BUFSIZ]; /* File header, written back on cuts */ static time_t log_start; /* Start timestamp */ int log_trace; /* --trace mode enabled */ +int log_to_stdout; /* Print to stdout instead of stderr */ #define BEFORE_DAEMON (setlogmask(0) == LOG_MASK(LOG_EMERG)) #define logfn(name, level) \ void name(const char *format, ...) { \ + FILE *out = log_to_stdout ? stdout : stderr; \ struct timespec tp; \ va_list args; \ \ if (setlogmask(0) & LOG_MASK(LOG_DEBUG) && log_file == -1) { \ clock_gettime(CLOCK_REALTIME, &tp); \ - fprintf(stderr, "%lli.%04lli: ", \ + fprintf(out, "%lli.%04lli: ", \ (long long int)tp.tv_sec - log_start, \ (long long int)tp.tv_nsec / (100L * 1000)); \ } \ @@ -70,10 +72,10 @@ void name(const char *format, ...) { \ if ((setlogmask(0) & LOG_MASK(LOG_DEBUG) && log_file == -1) || \ (BEFORE_DAEMON && !(log_opt & LOG_PERROR))) { \ va_start(args, format); \ - (void)vfprintf(stderr, format, args); \ + (void)vfprintf(out, format, args); \ va_end(args); \ if (format[strlen(format)] != '\n') \ - fprintf(stderr, "\n"); \ + fprintf(out, "\n"); \ } \ } diff --git a/log.h b/log.h index 3aab29d..a17171a 100644 --- a/log.h +++ b/log.h @@ -22,6 +22,7 @@ void debug(const char *format, ...); } while (0) extern int log_trace; +extern int log_to_stdout; void trace_init(int enable); #define trace(...) \ do { \ -- 2.39.2

2 2

[PATCH] tap: With pasta, don't reset on tap errors, handle write failures
by Stefano Brivio 05 Jun '23

05 Jun '23

Since commit 0515adceaa8f ("passt, pasta: Namespace-based sandboxing, defer seccomp policy application"), it makes no sense to close and reopen the tap device on error: we don't have access to /dev/net/tun after the initial setup phase. If we hit ENOBUFS while writing (as reported: in one case because the kernel actually ran out of memory, with another case under investigation), or ENOSPC, we're supposed to drop whatever data we were trying to send: there's no room for it. Handle EINTR just like we handled EAGAIN/EWOULDBLOCK: there's no particular reason why sending the same data should fail again. Anything else I can think of would be an unrecoverable error: exit with failure then. While at it, drop a useless cast on the write() call: it takes a const void * anyway. Reported-by: Gianluca Stivan <me(a)yawnt.com> Reported-by: Chris Kuhn <kuhnchris(a)kuhnchris.eu> Fixes: 0515adceaa8f ("passt, pasta: Namespace-based sandboxing, defer seccomp policy application") Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- tap.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/tap.c b/tap.c index c0b7f33..e323529 100644 --- a/tap.c +++ b/tap.c @@ -320,12 +320,23 @@ static size_t tap_send_frames_pasta(struct ctx *c, size_t i; for (i = 0; i < n; i++) { - if (write(c->fd_tap, (char *)iov[i].iov_base, - iov[i].iov_len) < 0) { + if (write(c->fd_tap, iov[i].iov_base, iov[i].iov_len) < 0) { debug("tap write: %s", strerror(errno)); - if (errno != EAGAIN && errno != EWOULDBLOCK) - tap_handler(c, c->fd_tap, EPOLLERR, NULL); - i--; + + switch (errno) { + case EAGAIN: +#if EAGAIN != EWOULDBLOCK + case EWOULDBLOCK: +#endif + case EINTR: + i--; + break; + case ENOBUFS: + case ENOSPC: + break; + default: + die("Write error on tap device, exiting"); + } } } @@ -1237,6 +1248,9 @@ void tap_handler(struct ctx *c, int fd, uint32_t events, exit(EXIT_SUCCESS); } + if (c->mode == MODE_PASTA) + die("Error on tap device, exiting"); + tap_sock_init(c); } } -- 2.39.2

2 1

passt: new version 2023_06_03.429e1a7 available
by Stefano Brivio 03 Jun '23

03 Jun '23

The new version with tag 2023_06_03.429e1a7 includes the following changes: 429e1a7 conf: Fix erroneous check of ip6->gw e3b1953 test/nstool: Fix fd leak in accept() loop 527c822 test/nstool: Provide useful error if given a path that's too long 9f61c5b passt.h: Fix description of pasta_ifi in struct ctx cc9d167 conf, pasta: With --config-net, copy all addresses by default e89da3c netlink: Add functionality to copy addresses from outer namespace a7359f0 conf: Don't exit if sourced default route has no gateway e8fef75 Revert "conf: Adjust netmask on mismatch between IPv4 address/netmask and gateway" da54641 conf, pasta: With --config-net, copy all routes by default 468f19a conf: --config-net option is for pasta mode only 2fe0461 netlink: Add functionality to copy routes from outer namespace f099afb pasta: Improve error handling on failure to join network namespace 1c3c689 netlink: Fix comment about response buffer size for nl_req() 770d1a4 isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init b0e450a pasta: Detach mount namespace, (re)mount procfs before spawning command b0881aa util, conf: Add and use ns_is_init() helper 25f1d1a tap: Don't update ip6.addr_seen to :: https://passt.top/passt/log/?qt=range&q=2023_05_09.96f8d55..2023_06_03.429e… Packages: - Arch Linux: https://www.archlinux.org/packages/extra/x86_64/passt/ https://archlinuxarm.org/packages/aarch64/passt https://archlinuxarm.org/packages/armv7h/passt - Debian tracker: https://tracker.debian.org/pkg/passt - Copr (CentOS Stream, EPEL, Fedora, Mageia, openSUSE): https://copr.fedorainfracloud.org/coprs/sbrivio/passt/build/6000164/ permanent mirror: https://passt.top/builds/copr/0^20230603.g429e1a7/ - Fedora updates: https://bodhi.fedoraproject.org/updates/?packages=passt - Ubuntu tracker: https://packages.ubuntu.com/lunar/passt - Void Linux: https://voidlinux.org/packages/?q=passt - Static builds: - Package for other RPM-based distributions, x86_64 only: https://passt.top/builds/latest/x86_64/passt-g429e1a7-1.x86_64.rpm - x86_64 static binaries: https://passt.top/builds/latest/x86_64/ - Debian package, from x86_64 static build: https://passt.top/builds/latest/x86_64/passt_429e1a7-1_all.deb -- Stefano

1 0

[PATCH] conf: Fix erroneous check of ip6->gw
by David Gibson 03 Jun '23

03 Jun '23

a7359f094898 ("conf: Don't exit if sourced default route has no gateway") was supposed to allow passt/pasta to run even if given a template interface which has no default gateway. However a mistake in the patch means it still requires the gateway, but doesn't require a global address for the guest which we really do need. This is one part (but not the only part) of the problem seen in https://bugs.passt.top/show_bug.cgi?id=50. Fixes: a7359f094898 Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf.c b/conf.c index d8414fe7..ffff235b 100644 --- a/conf.c +++ b/conf.c @@ -708,7 +708,7 @@ static unsigned int conf_ip6(unsigned int ifi, if (MAC_IS_ZERO(mac)) nl_link(0, ifi, mac, 0, 0); - if (IN6_IS_ADDR_UNSPECIFIED(&ip6->gw) || + if (IN6_IS_ADDR_UNSPECIFIED(&ip6->addr) || IN6_IS_ADDR_UNSPECIFIED(&ip6->addr_ll) || MAC_IS_ZERO(mac)) return 0; -- 2.40.1

2 1

[PATCH v3 00/20] RFCv3: Proof-of-concept conversion of some tests to Avocado framework
by David Gibson 31 May '23

31 May '23

As discussed on calls, I've been investigating Avocado as a possible replacement for our hand-rolled shell test framework. This is a third draft proof-of-concept conversion of a few of the tests to the Avocado framework. Specifically, the static checkers, the build tests and the pasta transfer tests are converted. This third version completely avoids the avocado/unittest built in setUp() and tearDown() functions. Instead it uses Python's with statement and context managers. This is more Pythonic, and avoids some really cryptic multiple inheritance confusion when we want to mix and match tests with different environment setups. Promising things: * I remain happy with the speed improvement (under half the time of the equivalent old tests) * The fact that it's no longer dependent on the host network is great * I'm cautiously optimistic about the helper library making it relatively easy to add a bunch more tests with further coverage Concerning things: * Using context managers instead of setUp/tearDown significantly mitigates it, but the OO/jUnit patterns still make things uglier. Changes since RFCv2: * Remove all setUp() and tearDown() implementations * Remove the weird 'subsetup' stuff we were using along with those Changes since RFCv1: * Sweeping rework of the test library * Started using tags to split between the "real" tests (run with "make avocado") and "meta" tests (run with "make avocado-meta"). The latter are tests for the test infrastructure and helpers themselves, rather than testing anything in passt or pasta David Gibson (20): avocado: Make a duplicate copy of testsuite for comparison purposes avocado: Don't double download assets for test/ and oldtest/ avocado: Move static checkers to avocado avocado/tasst: Helper functions for executing commands in different places avocado/tasst: Type checking helpers avocado: Convert build tests to avocado avocado/tasst: Add helpers for running background commands on sites avocado/tasst: Add helper to get network interface names for a site avocado/tasst: Add helpers to run commands with nstool avocado/tasst: Add ifup and network address helpers to Site avocado/tasst: Helper for creating veth devices between namespaces avocado/tasst: Add helper for getting MTU of a network interface avocado/tasst: Add helper to wait for IP address to appear avocado/tasst: Add helpers for getting a site's routes avocado/tasst: Helpers for test transferring data between sites avocado/tasst: IP address allocation helpers avocado/tasst: Helpers for testing NDP behaviour avocado/tasst: Helpers for testing DHCP & DHCPv6 behaviour avocado/tasst: Helpers to construct a simple network environment for tests avocado: Convert basic pasta tests Makefile | 19 + avocado/.gitignore | 1 + avocado/build.py | 81 +++ avocado/pasta.py | 195 ++++++ avocado/static_checkers/clang-tidy.sh | 3 + avocado/static_checkers/cppcheck.sh | 3 + avocado/tasst/__init__.py | 22 + avocado/tasst/address.py | 89 +++ avocado/tasst/dhcp.py | 152 +++++ avocado/tasst/dhcpv6.py | 135 +++++ avocado/tasst/meta/__init__.py | 16 + avocado/tasst/meta/static_ifup.py | 59 ++ avocado/tasst/meta/veth.py | 95 +++ avocado/tasst/ndp.py | 137 +++++ avocado/tasst/nstool.py | 199 +++++++ avocado/tasst/scenario/__init__.py | 11 + avocado/tasst/scenario/simple.py | 98 +++ avocado/tasst/site.py | 226 +++++++ avocado/tasst/transfer.py | 224 +++++++ avocado/tasst/typing.py | 23 + oldtest/.gitignore | 11 + oldtest/Makefile | 119 ++++ oldtest/README.md | 137 +++++ {test => oldtest}/build/all | 0 {test => oldtest}/build/clang_tidy | 0 {test => oldtest}/build/cppcheck | 0 oldtest/ci | 1 + oldtest/demo/passt | 245 ++++++++ oldtest/demo/pasta | 274 +++++++++ oldtest/demo/podman | 819 ++++++++++++++++++++++++++ oldtest/distro/debian | 252 ++++++++ oldtest/distro/fedora | 396 +++++++++++++ oldtest/distro/opensuse | 208 +++++++ oldtest/distro/ubuntu | 216 +++++++ oldtest/env/mate-terminal.profile | 42 ++ oldtest/find-arm64-firmware.sh | 13 + oldtest/lib/context | 130 ++++ oldtest/lib/layout | 259 ++++++++ oldtest/lib/layout_ugly | 113 ++++ oldtest/lib/perf_report | 272 +++++++++ oldtest/lib/setup | 385 ++++++++++++ oldtest/lib/setup_ugly | 58 ++ oldtest/lib/term | 750 +++++++++++++++++++++++ oldtest/lib/test | 398 +++++++++++++ oldtest/lib/util | 133 +++++ oldtest/lib/video | 152 +++++ oldtest/memory/passt | 187 ++++++ oldtest/nstool.c | 565 ++++++++++++++++++ oldtest/passt.mbuto | 83 +++ oldtest/passt.mem.mbuto | 44 ++ oldtest/passt/dhcp | 70 +++ oldtest/passt/ndp | 33 ++ oldtest/passt/shutdown | 19 + oldtest/passt/tcp | 76 +++ oldtest/passt/udp | 46 ++ oldtest/passt_in_ns/icmp | 32 + oldtest/passt_in_ns/shutdown | 19 + oldtest/passt_in_ns/tcp | 256 ++++++++ oldtest/passt_in_ns/udp | 138 +++++ {test => oldtest}/pasta/dhcp | 0 {test => oldtest}/pasta/ndp | 0 {test => oldtest}/pasta/tcp | 0 {test => oldtest}/pasta/udp | 0 oldtest/pasta_options/log_to_file | 93 +++ oldtest/perf/passt_tcp | 215 +++++++ oldtest/perf/passt_udp | 165 ++++++ oldtest/perf/pasta_tcp | 300 ++++++++++ oldtest/perf/pasta_udp | 219 +++++++ oldtest/prepare-distro-img.sh | 18 + oldtest/run | 238 ++++++++ oldtest/run_demo | 1 + oldtest/two_guests/basic | 80 +++ oldtest/valgrind.supp | 9 + test/lib/layout | 31 - test/lib/setup | 47 -- test/run | 14 - 76 files changed, 10077 insertions(+), 92 deletions(-) create mode 100644 avocado/.gitignore create mode 100644 avocado/build.py create mode 100644 avocado/pasta.py create mode 100755 avocado/static_checkers/clang-tidy.sh create mode 100755 avocado/static_checkers/cppcheck.sh create mode 100644 avocado/tasst/__init__.py create mode 100644 avocado/tasst/address.py create mode 100644 avocado/tasst/dhcp.py create mode 100644 avocado/tasst/dhcpv6.py create mode 100644 avocado/tasst/meta/__init__.py create mode 100644 avocado/tasst/meta/static_ifup.py create mode 100644 avocado/tasst/meta/veth.py create mode 100644 avocado/tasst/ndp.py create mode 100644 avocado/tasst/nstool.py create mode 100644 avocado/tasst/scenario/__init__.py create mode 100644 avocado/tasst/scenario/simple.py create mode 100644 avocado/tasst/site.py create mode 100644 avocado/tasst/transfer.py create mode 100644 avocado/tasst/typing.py create mode 100644 oldtest/.gitignore create mode 100644 oldtest/Makefile create mode 100644 oldtest/README.md rename {test => oldtest}/build/all (100%) rename {test => oldtest}/build/clang_tidy (100%) rename {test => oldtest}/build/cppcheck (100%) create mode 120000 oldtest/ci create mode 100644 oldtest/demo/passt create mode 100644 oldtest/demo/pasta create mode 100644 oldtest/demo/podman create mode 100644 oldtest/distro/debian create mode 100644 oldtest/distro/fedora create mode 100644 oldtest/distro/opensuse create mode 100644 oldtest/distro/ubuntu create mode 100644 oldtest/env/mate-terminal.profile create mode 100755 oldtest/find-arm64-firmware.sh create mode 100644 oldtest/lib/context create mode 100644 oldtest/lib/layout create mode 100644 oldtest/lib/layout_ugly create mode 100755 oldtest/lib/perf_report create mode 100755 oldtest/lib/setup create mode 100755 oldtest/lib/setup_ugly create mode 100755 oldtest/lib/term create mode 100755 oldtest/lib/test create mode 100755 oldtest/lib/util create mode 100755 oldtest/lib/video create mode 100644 oldtest/memory/passt create mode 100644 oldtest/nstool.c create mode 100755 oldtest/passt.mbuto create mode 100755 oldtest/passt.mem.mbuto create mode 100644 oldtest/passt/dhcp create mode 100644 oldtest/passt/ndp create mode 100644 oldtest/passt/shutdown create mode 100644 oldtest/passt/tcp create mode 100644 oldtest/passt/udp create mode 100644 oldtest/passt_in_ns/icmp create mode 100644 oldtest/passt_in_ns/shutdown create mode 100644 oldtest/passt_in_ns/tcp create mode 100644 oldtest/passt_in_ns/udp rename {test => oldtest}/pasta/dhcp (100%) rename {test => oldtest}/pasta/ndp (100%) rename {test => oldtest}/pasta/tcp (100%) rename {test => oldtest}/pasta/udp (100%) create mode 100644 oldtest/pasta_options/log_to_file create mode 100644 oldtest/perf/passt_tcp create mode 100644 oldtest/perf/passt_udp create mode 100644 oldtest/perf/pasta_tcp create mode 100644 oldtest/perf/pasta_udp create mode 100755 oldtest/prepare-distro-img.sh create mode 100755 oldtest/run create mode 120000 oldtest/run_demo create mode 100644 oldtest/two_guests/basic create mode 100644 oldtest/valgrind.supp -- 2.40.1

1 20

[PATCH v2 00/10] Optionally copy all routes and addresses for pasta, allow gateway-less routes
by Stefano Brivio 27 May '23

27 May '23

This series, along with pseudo-related fixes, enables: - optional copy of all routes from selected interface in outer namespace, to fix the issue reported by Callum at: https://github.com/containers/podman/issues/18539 - optional copy of all addresses, mostly for consistency. It doesn't, however, enable assignment of multiple addresses in the sense requested at: https://bugs.passt.top/show_bug.cgi?id=47 because the addresses still need to be present on the host, and the "outer" address isn't selected depending on the address used inside the container - operation without a gateway address. This is related to: https://bugs.passt.top/show_bug.cgi?id=49 but Wireguard endpoints established outside the container can't be used yet as outbound interface (without the workaround reported there) for a number of reasons I'm still investigating. In any case, the correct route is now configured in the container, even without a default gateway on the corresponding host route, so we're a bit closer to support that configuration out of the box. v2: - in 3/10, repeat the netlink request once for each RTM_NEWROUTE we're going to send as part of the request: routes might depend on each other, and this is a somewhat rudimentary, but seemingly robust approach to insert all the routes we can insert, without explicitly calculating dependencies - Cc: Andrea, reporter for the issue fixed in 4/10 Stefano Brivio (10): netlink: Fix comment about response buffer size for nl_req() pasta: Improve error handling on failure to join network namespace netlink: Add functionality to copy routes from outer namespace conf: --config-net option is for pasta mode only conf, pasta: With --config-net, copy all routes by default Revert "conf: Adjust netmask on mismatch between IPv4 address/netmask and gateway" conf: Don't exit if sourced default route has no gateway netlink: Add functionality to copy addresses from outer namespace conf, pasta: With --config-net, copy all addresses by default passt.h: Fix description of pasta_ifi in struct ctx conf.c | 81 +++++++++++++++++++------------- netlink.c | 135 +++++++++++++++++++++++++++++++++++++++++------------- netlink.h | 13 ++++-- passt.1 | 25 +++++++++- passt.h | 8 +++- pasta.c | 26 +++++++---- 6 files changed, 207 insertions(+), 81 deletions(-) -- 2.39.2

2 22

[PATCH 0/2] Fixes for nstool
by David Gibson 23 May '23

23 May '23

This fixes a couple of bugs I found in nstool. I discovered these during the Avocado work, but they are bugs independent of that. David Gibson (2): test/nstool: Provide useful error if given a path that's too long test/nstool: Fix fd leak in accept() loop test/nstool.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) -- 2.40.1

2 3

[PATCH v2 0/3] Fix pasta-in-pasta operation (and similar)
by Stefano Brivio 23 May '23

23 May '23

When pasta spawns a command (operation without pre-existing namespace), it calls clone(2) with CLONE_NEWPID to detach the PID namespace where this command runs, but it needs to mount /proc (in a separate mount namespace), otherwise its contents are not consistent with the new PID namespace. If /proc contents are not consistent, pasta will fail to run in a user and network namespace created by another pasta instance. An alternative would be to drop CLONE_NEWPID altogether: pasta itself not a container engine, and it's not meant to provide general isolation features other than for networking aspects. This would also make testing and debugging a bit easier, as the PIDs of processes descending from pasta would be the same outside the detached namespace. However, also for testing and debugging usage itself, we would lose two advantages: the inner environment looks more observable (from inside) with CLONE_NEWPID, and we don't need to explicitly clean up the environment as pasta terminates: see the ugliness of pasta_ns_cleanup() before commit 0515adceaa8f ("passt, pasta: Namespace-based sandboxing, defer seccomp policy application"). It wasn't very robust either. Now that this part works, note that writing to the uid_map procfs entry, with 0 as domain for the map, requires (since Linux 5.12) CAP_SETFCAP in the parent process. We need this mapping to keep the behaviour consistent with what happens when we run directly from the init namespace, and to set the ping_group_range sysctl. Keep CAP_SETFCAP if we're running with UID 0 from a non-init user namespace. With this series, pasta finally runs in itself. I checked basic connectivity inside a dozen of recursively nested instances. v2: Fix size of buffer and comparison in 1/3 for ns_is_init(), address comment from David Stefano Brivio (3): util, conf: Add and use ns_is_init() helper pasta: Detach mount namespace, (re)mount procfs before spawning command isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init conf.c | 16 +--------------- isolation.c | 17 ++++++++++++++--- pasta.c | 7 ++++++- util.c | 25 +++++++++++++++++++++++++ util.h | 2 ++ 5 files changed, 48 insertions(+), 19 deletions(-) -- 2.39.2

2 5

2023

2022

2021

dev

2023

2022

2021

dev ----- 2023 ----- June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 ----- 2022 ----- December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 ----- 2021 ----- December 2021 November 2021

dev