| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This avoids an implicit declaration.
|
| |
|
|
| |
This fixes lxc-sshd still referring to '${libdir}'.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Recent kernel headers suitable for building glibc are sufficient to
provide setns, so use that in preference to a full kernel source tree.
This is a prototype which may not be suitable on all distributions, but
which works well on recent Gentoo systems.
Conflicts:
src/lxc/Makefile.am
|
| |
|
|
|
|
|
|
| |
Instead of checking always the source path, check the source path if
mounting a directory, and the mount path if mounting a block device or
file.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shared object versioning on the library (soname) was completely wrong,
as the ABI doesn't seem to be guaranteed between one version and the other,
so proposing all of them as .so.0 is very wrong.
Furthermore you generally want lxc-init static so that you don't have to add
(or have a compatible version of) libcap and liblxc within a container you
want to use lxc-execute with.
To solve the issue, use the good old libtool to take care of the library
building, and pass -all-static to the lxc-init linking stage.
Also drop the manual rpath handling, and leave it to libtool to manage.
|
| | |
|
| |
|
|
|
|
|
| |
(which reminds me a lxc-clone manpage still needs to be written)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
1. fix inconsistent use of '--auth-key' (not --auth_key) which broke their
usage
2. add --debug option to lxc-ubuntu (which does set -x to show what broke)
(idea from Idea from lifeless and benji)
3. fix incorrect assumption about group with -b option. User's default group
may not be the same as username.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were doing the check for whether we need to watch utmp from a
thread cloned from that which will actually do the utmp watching.
As a result, the utmp file was always being watched, even if it
didn't need to be.
Move the check to the parent thread.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/948623
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
| |
Signed-off-by: InformatiQ <rhanna@informatiq.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using ns cgroup, use /cgroup/<init-cgroup> rather than
/cgroup/<init-cgroup>/lxc
At least lxc-start, lxc-stop, lxc-cgroup, lxc-console and lxc-ls work
with this patch. I've tested this in a 2.6.35 kernel with ns cgroup,
and in a 3.2 kernel without ns cgroup.
Note also that because of the check for container reboot support,
if we're using the ns cgroup we now end up with a /cgroup/<container>/2
cgroup created, empty, by the clone(CLONE_NEWPID). I'm really not
sure how much time we want to spend cleaning such things up since
ns cgroup is deprecated in kernel.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
| |
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
| |
Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr>
|
| |
|
|
|
| |
Reported-by : Denny Schierz <linuxmail@4lin.net>
Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr>
|
| |
|
|
|
|
|
|
| |
Otherwise there is no clear indication to the user why the container
startup failed.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a macaddr if precisely one veth is specified but no hwaddr. Allow
specifying ssh authkeys. In cloud template, copy locales by default and allow
a tarball to be specified.
Signed-off-by: Ben Howard <ben.howard@canonical.com>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
1. --path is meant to be passed by lxc-create, but should not be passed
in by users. Don't advertise it in --help.
2. --clean syntax ends up not making much sense. Get rid of it, and
add '--flush-cache' option instead.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
The option is implied by '-d', because the admin won't see the warning
message.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Author: Stéphane Graber <stgraber@ubuntu.com>
Use ubuntu/ubuntu instead of root/root by default. Stop
removing tty[56].conf in Precise. Stop messing with dhclient.conf.
Set devttydir on Precise to /dev/lxc to allow for clean upgrades.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
If set, then the console and ttys will be bind-mounted not over /dev/console,
but /dev/<ttydir>/console and then symlinked from there to /dev/console.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
| |
btrfs support from Scott Moser.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
| |
From Scott Moser.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
| |
Thanks to dlezcano for spotting this.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
| |
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
This is a new template to create containers based on the ubuntu
cloud images, rather than using debootstrap.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
lxcguest is no longer needed, as precise should boot in a container
un-modified.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
netstat -x sometimes spits errors to stderr like:
warning, got bogus unix line.
Shut those up as they don't help lxc-ls.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
In order for reboot(LINUX_REBOOT_CMD_CADON) to detect whether
container reboot is supported, it must be done in a non-init
pid namespace. Fix that.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
The 'lxc-init' (a lightweight init process used by lxc-execute in place of
upstart etc) tries to mount /dev/shm during startup. If that fails (for
instance /dev/shm does not exist) then it aborts execution and returns -1. This
is unreasonable as very few applications actually need /dev/shm.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Don't call it an error if a container exits without calling sys_reboot.
Particularly since that will almost always be the case with lxc-execute.
This fixes a regression introduced in commit
"49296e2ebfe7c5f9d6ebafbb54f5c5e56a0cc085: support proper container
reboot"
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Support building a container of a foreign architecture if
qemu-user-static is installed. This is done by installing some packages
of the host architecture in the container using multi-arch.
Author: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
| |
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
If a container has created its own cgroups, i.e. by running libvirtd,
then if we don't delete all child cgroups, then the rmdir will fail.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the correct path for the container's cgroup task file.
Also exit out early and cleanly if the container is not running,
and bind-mount /proc/$pid/net with '-n' to keep the entry out
of mtab, else the mtab entry will never go away.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch looks for Daniel's kernel patch allowing the lxc monitor
to tell container reboot from shutdown based on the exit signal. If
that patch is not there, utmp monitoring is used. Otherwise, it only
looks for the signal. Note that the 'conf->need_utmp_watch' is
technically not necessary, as there is no harm in watching the utmp
file.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
| |
when --lvname is given, use that for lvcreate instead of using
lxc_name, which is wrong.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
| |
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1. Some templates copy the cached pristine rootfs using 'cp a b' where b is
$lxc_path/$name/rootfs. That doesn't do the right thing if rootfs already
exists, as it will when it is an lvm or other mount. So switch to
'rsync a/ b/'. (cp can be made to work too of course).
2. Update lxc-create to support backing stores. For now only lvm is
implemented.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't delete a running container. If it's running, abort the delete
unless a new '-f' (force) flag is given, in which case, stop it first.
Handle the case where we can't find $rootfs in config
Fix broken detection of lvm backing store
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, I can start a container 'o1' inside another container 'o1'.
(Of course, the containers must be on a different subnet)
Detail:
1. Create cgroups for containers under /lxc.
2. Support nested lxc: respect init's cgroup:
Create cgroups under init's cgroup. So if we start a container c2
inside a container 'c1', we'll use /sys/fs/cgroup/freezer/lxc/c1/lxc/c2
instead of /sys/fs/cgroup/freezer/c2. This allows a container c1
to be created inside container c1 It also allow a container's limits
to be enforced on all a container's children (which a MAC policy could
already enforce, in which case current lxc code would be unable to nest
altogether).
3. Finally, if a container's cgroup already exists, rename it rather than
failing to start the container. Try to WARN the user so they might go
clean the old cgroup up.
Whereas without this patch, container o1's cgroup would be
/sys/fs/cgroup/<subsys>/o1,
it now becomes
/sys/fs/cgroup/<subsys>/<initcgroup>/lxc/o1
so if init is in cgroup '/' then o1's freezer cgroup would be:
/sys/fs/cgroup/freezer/lxc/o1
Changelog:
. make lxc-ps work with separate mtab. If cgroups were mounted with -n,
and mtab is not linked to /proc/self/mounts, then 'mount -t cgroup' won't
show these mounts. So make lxc-ps not use it, but rather use
/proc/self/mounts directly.
. lxc-ls in the past assumed that a container's cgroup was just '/<name>'.
Now it is '/<host-init-cgroup>/lxc/<name>'. Handle that.
. first version of this patch was setting clone_children on
<path-to-cpusets-cgroup>/<init-cgroup>/lxc, not the parent of that dir.
That failed to initialize that cgroup, so tasks could not enter it.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Particularly for LTS releases, which many people will want to use in
their containers, it is not wise to not use -security and -updates.
Furthermore the fix allowing ssh to allow the container to shut down
is in lucid-updates only.
With this patch, after debootstrapping a container, we add -updates
and -security to sources.list and do an apt-get upgrade under chroot.
Unfortunately we need to do this because debootstrap doesn't know how
to.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
| |
Thanks for Scott Moser for these, which allows qemu to run inside a container.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
mac_admin stops the container from loading LSM policy. Neither
selinux nor apparmor currently will do well with automatic namespacing
of policy (though it's coming in apparmor, after which we can re-enable
this).
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
| |
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
The issue is similar to what was fixed in commit e7eb632c for ARM:
the "configure" script errors out because it is unable to set
LINUX_SRCARCH. Fix is to add MIPS to the list.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
## 0001-Replace-pkglib_PROGRAMS-with-pkglibexec_PROGRAMS.patch [diff]
From 95c566740bba899acc7792c11fcdb3f4d32dcfc9 Mon Sep 17 00:00:00 2001
From: Jon Nordby <jononor@gmail.com>
Date: Fri, 10 Feb 2012 11:38:35 +0100
Subject: [PATCH] Replace pkglib_PROGRAMS with pkglibexec_PROGRAMS
Without this change, autogen.sh fails with automake 1.11.3
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
| |
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
otherwise
lxc-attach will now put the process that is attached to the container into
the correct cgroups corresponding to the container, set the correct
personality and drop the privileges.
The information is extracted from entries in /proc of the init process of
the container. Note that this relies on the (reasonable) assumption that the
init process does not in fact drop additional capabilities from its bounding
set.
Additionally, 2 command line options are added to lxc-attach: One to prevent
the capabilities from being dropped and the process from being put into the
cgroup (-e, --elevated-privileges) and a second one to explicitly state the
architecture which the process will see, (-a, --arch) which defaults to the
container's current architecture.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Since lxc-attach helper functions now have an own source file, lxc_attach is
moved from namespace.c to attach.c and is renamed to lxc_attach_to_ns,
because that better reflects what the function does (attaching to a
container can also contain the setting of the process's personality, adding
it to the corresponding cgroups and dropping specific capabilities).
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following helper functions for lxc-attach are added to a new file
attach.c:
- lxc_proc_get_context_info: Get cgroup memberships, personality and
capability bounding set from /proc for a given process.
- lxc_proc_free_context_info: Free the data structure responsible
- lxc_attach_proc_to_cgroups: Add the process specified by the pid
parameter to the cgroups given by the ctx parameter.
- lxc_attach_drop_privs: Drop capabilities to the capability mask given in
the ctx parameter.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
|
Diego Elio Pettenò
Kevin Pyle
Daniel Lezcano
Serge Hallyn
InformatiQ
Serge Hallyn
Ubuntu
Kevin Cernekee
Jon Nordby
Christian Seiler
GitWeb