lxc-ls nowadays is a C binary so there's no need to keep the python and
shell versions around anymore, remove them from the branch and cleanup
documentation and Makefiles.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Commit ea4679694 replaced the python implementation with a
C one.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Explain that multiple /lower layers can be used.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- explain new numeric argument to --nesting
- include common options as lxc-ls now uses the standard lxc parser
- add history section and update authors
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Should be mentioned separately because it will reset a big group of options.
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
More general for all list options.
Seems to currently affect:
lxc.network (clear all NICs)
lxc.network.* (clear current NIC)
lxc.cap.drop
lxc.cap.keep
lxc.cgroup
lxc.mount.entry
lxc.mount.auto
lxc.hook
lxc.id_map
lxc.group
lxc.environment
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
* Add long options if not be written
* Remove optional tags in OPTIONS section
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When a container starts up, lxc sets up the container's inital fstree
by doing a bunch of mounting, guided by the container configuration
file. The container config is owned by the admin or user on the host,
so we do not try to guard against bad entries. However, since the
mount target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.
To prevent this,
1. do not allow mounts to paths containing symbolic links
2. do not allow bind mounts from relative paths containing symbolic
links.
Details:
Define safe_mount which ensures that the container has not inserted any
symbolic links into any mount targets for mounts to be done during
container setup.
The host's mount path may contain symbolic links. As it is under the
control of the administrator, that's ok. So safe_mount begins the check
for symbolic links after the rootfs->mount, by opening that directory.
It opens each directory along the path using openat() relative to the
parent directory using O_NOFOLLOW. When the target is reached, it
mounts onto /proc/self/fd/<targetfd>.
Use safe_mount() in mount_entry(), when mounting container proc,
and when needed. In particular, safe_mount() need not be used in
any case where:
1. the mount is done in the container's namespace
2. the mount is for the container's rootfs
3. the mount is relative to a tmpfs or proc/sysfs which we have
just safe_mount()ed ourselves
Since we were using proc/net as a temporary placeholder for /proc/sys/net
during container startup, and proc/net is a symbolic link, use proc/tty
instead.
Update the lxc.container.conf manpage with details about the new
restrictions.
Finally, add a testcase to test some symbolic link possibilities.
Reported-by: Roman Fiedler
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Add the description of optional, create=file/dir for lxc.mount.entry.
This is update for commit f5b67b3.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
LXC now uses lxc.cgroup.use even when cgmanager is used.
So remove the description for the case of using cgmanager.
And add the case of not specifying it.
This commit only updates en and ja man pages.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
lxc-ls takes -P lxcpath and --version as arguments but it did not specify these
options on the manpages.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Update for commit 1940bff, and fix typo in English man
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Add the description about displaying the value of wait delays for -L
option
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also fix some indentation and improve translation.
Update for commit 936762f
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also fix some minor indentation mishaps since we're here.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
At the commit 18aa217, the snapshot dir was moved to /var/lib/lxc/c/snaps.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Implements mixed mode for /sys where it's mounted read-only but with
/sys/devices/virtual/net/ writable.
- Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
templates.
- Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.
- Get rid of the fstab file by default, using lxc.mount.entry instead.
- Set sys:mixed as the default for "sys". sys:mixed is slightly more
permissive than sys:ro so this shouldn't be a problem.
The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.
v2 changes:
- Fix the mount list, don't specify a source for the remount.
- Update the documentation.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It's now been proven over and over again that the symlink from /dev/kmsg
to /dev/console is harmful for everything but upstart systems. As Ubuntu
is now switching over to systemd too, lets switch the default.
Upstart users wishing to see boot messages can always set lxc.kmsg = 1
manually in their config (so long as they don't expect to then
dist-upgrade the container to systemd succesfuly).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Now that autodev works fine with unprivileged containers and shouldn't
come with any side effect, lets turn it on by default.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
* fix "reg" to "req" in English (fix for commit b8683fe)
* change "opt" to "req" in Japanese
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- keep but rename the lua version as an example of how to use the lua API
- got rid of the fairly useless --max argument
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This idea came from Andy Lutomirski. Instead of using a
temporary directory for the pivot_root put-old, use "." both
for new-root and old-root. Then fchdir into the old root
temporarily in order to unmount the old-root, and finally
chdir back into our '/'.
Drop lxc.pivotdir from the lxc.container.conf manpage.
Warn when we see a lxc.pivotdir entry (but keep it in the
lxc.conf for now).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This patch adds support for checkpointing and restoring containers via CRIU.
It adds two api calls, ->checkpoint and ->restore, which are wrappers around
the CRIU CLI. CRIU has an RPC API, but reasons for preferring exec() are
discussed in [1].
To checkpoint, users specify a directory to dump the container metadata (CRIU
dump files, plus some additional information about veth pairs and which
bridges they are attached to) into this directory. On restore, this
information is read out of the directory, a CRIU command line is constructed,
and CRIU is exec()d. CRIU uses the lxc-restore-net callback (which in turn
inspects the image directory with the NIC data) to properly restore the
network.
This will only work with the current git master of CRIU; anything as of
a152c843 should work. There is a known bug where containers which have been
restored cannot be checkpointed [2].
[1]: http://lists.openvz.org/pipermail/criu/2014-July/015117.html
[2]: http://lists.openvz.org/pipermail/criu/2014-August/015876.html
v2: fixed some problems with the s/int/bool return code form api function
v3: added a testcase, fixed up the man page synopsis
v4: fix a small typo in lxc-test-checkpoint-restore
v5: remove a reference to the old CRIU_PATH, and a bad error about the same
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
v2: add get_config_item
clear_config_item is not supported, as it isn't for lxc.console, bc
you can do 'lxc.console.logfile =' to clear it. Likewise save_config
is not needed because the config is now just written through the
unexpanded char*.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
policy is an unconfined_domain(), so it doesn't really enforce anything.
This change will provide a link in the documentation to an example
policy that does confine containers.
On more recent distributions with new enough policy, it is recommended
not to use this sample policy, but to use the types already available
on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It's quite useful to be able to configure containers by specifying
environment variables, which init (or initscripts) can use to adjust the
container's operation.
This patch adds one new configuration parameter, `lxc.environment`, which
can be specified zero or more times to define env vars to set in the
container, like this:
lxc.environment = APP_ENV=production
lxc.environment = SYSLOG_SERVER=192.0.2.42
lxc.environment = SOMETHING_FUNNY=platypus
Default operation is unchanged; if the user doesn't specify any
lxc.environment parameters, the container environment will be what it is
today ('container=lxc').
Signed-off-by: Matt Palmer <mpalmer@hezmatt.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Introduce a new -F option (no-op for now) as an opposite of -d.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
veth.pair is ignore for unprivileged containers as allowing an
unprivileged user to set a specific device name would allow them to
trigger actions in tools like NetworkManager or other uevent based
handlers that may react based on specific names or prefixes being used.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Commit 1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:
lxc.cap.keep =
clears the keep list, causing no capabilities to be dropped.
This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Originally we kept snapshots under /var/lib/lxcsnaps. If a
separate btrfs is mounted at /var/lib/lxc, then we can't
make btrfs snapshots under /var/lib/lxcsnaps.
This patch moves the default directory to /var/lib/lxc/c/snaps.
If /var/lib/lxcsnaps already exists, then we continue to use that.
add c->destroy_with_snapshots() and c->snapshot_destroy_all()
API methods. c->snashot_destroy_all() can be triggered from
lxc-snapshot using '-d ALL'. There is no command to call
c->destroy_with_snapshots(c) as of yet.
lxclock: use ".$lxcname" for container lock files
that way we can use /run/lock/lxc/$lxcpath/$lxcname/snaps as a
directory when locking snapshots without having to worry about
/run/lock//lxc/$lxcpath/$lxcname being a file.
destroy: split off a container_destroy
container_destroy() doesn't check for snapshots, so snapshot_rename can
use it. api_destroy() now does check for snapshots (previously it only
checked for fs - i.e. overlayfs/aufs - snapshots).
Add destroy to the manpage, as it was previously undocumented.
Update snapshot testcase accordingly.
[ rebased in the face of commits 840f05df and 7e36f87e. ]
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds new functionality to lxc-autostart.
*) The -g / --groups option is multiple cummulative entry.
This may be mixed freely with the previous comma separated
group list convention. Groups are processed in the
order they first appear in the aggregated group list.
*) The NULL group may be specified in the group list using either a
leading comma, a trailing comma, or an embedded comma.
*) Booting proceeds in order of the groups specified on the command line
then ordered by lxc.start.order and name collalating sequence.
*) Default host bootup is now specified as "-g onboot," meaning that first
the "onboot" group is booted and then any remaining enabled
containers in the NULL group are booted.
*) Adds documentation to lxc-autostart for -g processing order and
combinations.
*) Parameterizes bootgroups, options, and shutdown delay in init scripts
and services.
*) Update the various init scripts to use lxc-autostart in a similar way.
Reported-by: CDR <venefax@gmail.com>
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
For years it has been best practice to use a relative path as
the mount target. But the manpage hasn't reflect that. Fix it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
If the user specifies cgroup or cgroup-full without a specifier (:ro,
:rw or :mixed), this changes the behavior. Previously, these were
simple aliases for the :mixed variants; now they depend on whether the
container also has CAP_SYS_ADMIN; if it does they resolve to the :rw
variants, if it doesn't to the :mixed variants (as before).
If a container has CAP_SYS_ADMIN privileges, any filesystem can be
remounted read-write from within, so initially mounting the cgroup
filesystems partially read-only as a default creates a false sense of
security. It is better to default to full read-write mounts to show the
administrator what keeping CAP_SYS_ADMIN entails.
If an administrator really wants both CAP_SYS_ADMIN and the :mixed
variant of cgroup or cgroup-full automatic mounts, they can still
specify that explicitly; this commit just changes the default without
specifier.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Ubuntu containers have had trouble with automatic cgroup mounting that
was not read-write (i.e. lxc.mount.auto = cgroup{,-full}:{ro,mixed}) in
containers without CAP_SYS_ADMIN. Ubuntu's mountall program reads
/lib/init/fstab, which contains an entry for /sys/fs/cgroup. Since
there is no ro option specified for that filesystem, mountall will try
to remount it readwrite if it is already mounted. Without
CAP_SYS_ADMIN, that fails and mountall will interrupt boot and wait for
user input on whether to proceed anyway or to manually fix it,
effectively hanging container bootup.
This patch makes sure that /sys/fs/cgroup is always a readwrite tmpfs,
but that the actual cgroup hierarchy paths (/sys/fs/cgroup/$subsystem)
are readonly if :ro or :mixed is used. This still has the desired
effect within the container (no cgroup escalation possible and programs
get errors if they try to do so anyway), while keeping Ubuntu
containers happy.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This introduces a new -g/--group argument to filter containers based on
their groups.
This supports the rather obvious: --group blah
Which will only list containers that are in group blah.
It may also be passed multiple times: --group blah --group bleh
Which will list containers that are in either (or both) blah or bleh.
And it also takes: --group blah,bleh --group doh
Which will list containers that are either in BOTH blah and bleh or in doh.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This only converts punctuation marks from FULLWIDTH COMMA/FULL STOP to
IDEOGRAPHIC COMMA/FULL STOP in Japanese man pages. The contents of man
pages do not change at all.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
In the body of the manpage, replace a few errant 'fssize's with the
more appropriate word.
Reported-by: MegaBrutal <megabrutal@megabrutal.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
In this patch I tried to stick with each file's coding style, however I
think we should probably change that. Every main() should always not
return and only exit; they should always return EXIT_SUCCESS or EXIT_FAILURE
with the only exceptions being cases where we are returning a child's
exit status (lxc_execute, lxc_attach, lxc_init).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
It's often been reported that the behavior of lxc-create without -t is a
bit confusing. This change makes lxc-create require the --template
option and introduces a new "none" special value which when set will
fallback to the old template-less behavior.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead of maintaining hardcoded lists, point everyone to --help and
have the current list of valid and default fields printed there.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When passed, this flag will cause lxc-autostart to ignore the value of
lxc.start.auto.
This then allows things like: lxc-autostart -s -a -A
Which will select all containers regardless of groups (-a), regardless
of whether they are actually marked as auto-started (-A) and will shut
them down (-s).
Update our init scripts to use the new feature.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- Update Japanese man for commit a7c27357b3, seccomp v2
- Fix typo in English man
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Update lxc-clone(1) and lxc-snapshot(1) for commit 1f92162dc0
and improve some translations
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is pretty much copy/paste from overlayfs.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This introduces a new lxc.rootfs.options which lets you pass new
mountflags/mountdata when mounting the root filesystem.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-ps and lxc-netstat have an unfortunate tendency to break every so
often, produce mostly unreadable output and should be replaced by a
lxc-attach call in 99% of the cases.
In an effort to cleanup the lxc-* namespace, I think those two should
go, so this patch gets rid of them as well as any reference to them in
our documentation.
I also think that lxc-version should disappear as it's only a one line
shell script printing the version string, so having a whole command just
for that seems to be a bit of a waste.
Instead, this patch introduces a new --version common option which all
binaries will automatically inherit and that'll print LXC_VERSION on
stdout and exit 0.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Checkpoint/restart isn't currently supported, so let's not carry those
binaries around until we have proper CRIU support in the API.
lxc-kill is redundant with lxc-stop -k and has been known to confuse user.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc_unshare now takes one or more '-i interfacename' arguments which
will move the named interfaces into the created container.
lxc_unshare now takes -M argument which will cause the standard mounts
(/proc /dev/shm /dev/mqueue) to be auto-mounted inside container.
lxc_unshare now takes '-H hostname' argument to automatically set
the hostname in the container.
lxc_unshare now takes -D argument to automatically daemonize and detach
from the created container, instead of waiting for the container to exit
Signed-off-by: Seth Robertson <srobertson@appcomsci.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
* Update Japanese lxc.conf(5) for commit 508c263ee6
* Remove duplicate line in English lxc.conf(5)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each
"x" will be replaced by a random value. If less significant bit of
first byte is "templated", it will be set to 0.
This change introduce also a common randinit() function that could be
used to initialize random generator.
Signed-off-by: gza <lxc@zitta.fr>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Since previously I had found a config item that wasn't being propagated
by lxc-clone, I went through all the config items and made sure that:
a) Each item is documented in lxc.conf
b) Each item is written out by write_config
The only one that isn't is lxc.include, which by its nature only pulls
in other config item types.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The old version of lxc-ls is the wrapper of ls(1). But now it is
python script, so "see also ls(1)" is not needed.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- use this in the busybox template since busybox's init expects
to receive SIGUSR1 to halt
- fix lxc.stopsignal to be output by write_config so lxcapi_clone()
and lxcapi_save_config() will output it
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes the arguments between lxc-stop and lxc-autostart more
consistent, so that --shutdown doesn't have two different meanings.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
* lxc-attach(1): Update to the status of kernel 3.8 or higher
* lxc-create(1), lxc-destroy(1): Now lxc-ls don't have "-l" option, so remove
* lxc(7): update description of lxc-ls and lxc-info to current version
* see-also: fix lxc(1) to lxc(7)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
It is desirable to have a mode where a soft shutdown is requested,
but then do a hard shutdown if after some time period the container
has not shut down. This the default behaviour of lxc-stop, but is
not currently possible with lxc-autostart. This change makes this
the default behaviour when shutdown is specified to lxc-autostart.
This will be very useful for init scripts.
An indefinte wait for soft shutdown (though I'm not sure how that
would be useful) is still possible by passing a timeout of 0.
Change default timeout value to 60 seconds to match lxc-stop
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
* Improve Japanese translation
* Fix mis-translation
* Insert linefeed between paragraph, because some paragraph is too
long, so sometimes git send-email could not use.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Commit 5444216 revised -n option from allowing to specify multiple
containers using regex to specifying only one container. But
lxc-info(1) remains original. so
- mark -n required
- remove the description of -n that is included in common options
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
A timeout means wait this long before killing the container.
-s means don't kill the container. timeout defaults to 60
seconds. So if a shutdown is requested, then set timeout to
0.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This introduces a new lxc-autostart binary (and associated manpage)
which will let you start/shutdown/kill/restart any container that's
marked as lxc.start.auto=1. It respects the lxc.start.delay value,
sorts by lxc.start.order and filters by lxc.group.
By default it'll affect all containers that DO NOT have lxc.group
set. If -g is specified, ONLY containers in those group will be
affected. To have a command applied to all containers, the -a
argument can be used.
A -L flag is also offered for distributions wishing to start the
containers themselves while still using LXC's calculated order and
wait delays. Instead of performing the action, it'll print the container
name and (if relevant for the action) the wait time.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
First patch in the set of changes required for container autostart.
This commit adds the new configuration keys and parsers that will then
be used by lxc-start and lxc-stop.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
If the system gets into a bad state, it may become impossible to get
the lxc container locks. We should still be able to stop containers
in that case. Add a -L/--nolock option to specify this behavior.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Once lxc-monitord receives a quit request from lxc-monitor, it will then
return from the mainloop every time an event occurs on any of its fds and
check if it has any clients left. When there are no more it exits. This
allows lxc-monitord to quit immediately instead of waiting the normal 30
seconds for more clients, potentially freeing up lxcpath for unmounting.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
There are scenarios in which we want to execute process with specific
privileges elevated.
An example for this might be executing a process inside the container
securely, with capabilities dropped, but not in container's cgroup so
that we can have per process restrictions inside single container.
Similar to namespaces, privileges to be elevated can be OR'd:
lxc-attach --elevated-privileges='CAP|CGROUP' ...
Backward compatibility with previous versions is retained. In case no
privileges are specified behaviour is the same as before: all of them
are elevated.
Signed-off-by: Nikola Kotur <kotnick@gmail.com>
Acked-By: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
So this implements the changes we discussed yesterday:
- Only one container may be queried at the time
- -n is now required once again
- -H + a single filter only returns the value
- -t/--is-state is now removed
Note that -S is considered as more than a single filter, so -H in that
case only affects the formatting of the values.
For the same reason, I haven't yet implemented the -H + multiple filters
case which we said should return a simple "key: value" output as it
wasn't trivial to re-arrange the stats code to print a different format
(for the other options, it's just a two lines change in the print
functions).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
- allow lxc-info to show more than one container, using regex for the name
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Will fallback to no thinpool if not present or if thin pool provided on the command line does not exist.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Change the location of linefeed for improving to be read lxc.conf(5) in
Japanese environment.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
These need to be in the dist tarball even if the host packaging system
doesn't have docbook2x, otherwise configure will fail to find them. Also,
the build system may have docbook2x, even if the packaging system does not.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
docbook2man picks up some errors that docbook2x does not, fixing them
isn't harmful to docbook2x. The only real change is adding <para> and
<citerefentry> tags.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
* sync current English man pages on master branch
* delete lxc-shutdown.sgml.in
* add lxc-snapshot.sgml.in
* update FSF address (same as 250b1eec71)
* remove trailing whitespaces in legacy/lxc-ls.sgml.in (same as 8900b9eb25)
This adds a new -i flag to lxc-info to print the container's IP
addresses using get_ips().
Example:
$ lxc-info -n lxc-dev -s -p -i
state: RUNNING
pid: 21331
ip: 10.0.3.165
ip: 2607:f2c0:f00f:2751:e9ca:842f:efa9:97d1
ip: 2607:f2c0:f00f:2751:216:3eff:fe3a:f1c1
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Currently, a maximum of one LSM within LXC will be initialized and
used. If in the future stacked LSMs become a reality, we can support it
without changing the configuration syntax and add support for more than
a single LSM at a time to the lsm code.
Generic LXC code should note that lsm_process_label_set() will take
effect "now" for AppArmor, and upon exec() for SELinux.
- fix Oracle template mounting of proc and sysfs, needed when using SELinux
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Character encoding of Japanese man pages is UTF-8. But docbook-utils
can't treat it (and don't have --encoding option that use in
Makefile). So change to Japanese man pages is not generated when
docbook-utils is used.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The lxc configuration file currently supports 'lxc.cap.drop', a list of
capabilities to be dropped (using the bounding set) from the container.
The problem with this is that over time new capabilities are added. So
an older container configuration file may, over time, become insecure.
Walter has in the past suggested replacing lxc.cap.drop with
lxc.cap.preserve, which would have the inverse sense - any capabilities
in that set would be kept, any others would be dropped.
Realistically both have the same problem - the sendmail capabilities
bug proved that running code with unexpectedly dropped privilege can be
dangerous. This patch gives the admin a choice: You can use either
lxc.cap.keep or lxc.cap.drop, not both.
Both continue to be ignored if a user namespace is in use.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This hook script updates the hostname in various files under /etc in the
cloned container. In order to do so, the old container name is passed in
the LXC_SRC_NAME environment variable.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Add a higher level console API that opens a tty/console and runs the
mainloop as well. Rename existing API to console_getfd(). Use these in
the python binding.
Allow attaching a console peer after container bootup, including if the
container was launched with -d. This is made possible by allocation of a
"proxy" pty as the peer when the console is attached to.
Improve handling of SIGWINCH, the pty size will be correctly set at the
beginning of a session and future changes when using the lxc_console() API
will be propagated to it as well.
Refactor some common code between lxc_console.c and console.c. The variable
wait4q (renamed to saw_escape) was static, making the mainloop callback not
safe across threads. This wasn't a problem when the callback was in the
non-threaded lxc-console, but now that it is internal to console.c, we have
to take care of it. This is now contained in a per-tty state structure.
Don't attempt to open /dev/null as the console peer since /dev/null cannot
be added to the mainloop (epoll_ctl() fails with EPERM). This isn't needed
to get the console setup (and the log to work) since the case of not having
a peer at console init time has to be handled to allow for attaching to it
later.
Move signalfd libc wrapper/replacement to utils.h.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Create a loopfile backed container by doing:
lxc-create -B loop -t template -n name
or
lxc-clone -B loop -o dir1 -n loop1
The rootfs in the configuration file will be
loop:/var/lib/lxc/loop1/rootdev
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
implement c->reboot(c) in the api.
Also if the container is not running, return -2. Currently
lxc-stop will return 0, so you cannot tell the difference
between successfull stopping and noop.
Per stgraber's email:
- Remove lxc-shutdown
- Change lxc-stop so that:
* Default behaviour is to call shutdown(), wait 15s for STOPPED, if
not STOPPED, print a message to the user and call stop() [ NOTE:
actually 60 seconds per followup thread]
* We have a -r option to reboot the container (with proper check that
the container indeed rebooted within the next 15s)
* We have a -s option to shutdown the container without the automatic
fallback to stop()
* Add a -k option allowing a user to just kill a container
(equivalent to old lxc-stop, no shutdown() call and no delay).
and update manpages.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. commonize waitpid users to use a single helper. We frequently want
to run something in a clean namespace, or fork off a script. This
lets us keep the function doing fork:(1)exec(2)waitpid simpler.
2. start a blockdev backend implementation. This will be used for
mounting, copying, and snapshotting container filesystems.
3. implement btrfs, lvm, directory, and overlayfs backends.
4. For overlayfs, support a new lxc.rootfs format of
'bdevtype:<extra>'. This means you can now use overlayfs-based
containers without using lxc-start-ephemeral, by using
lxc.rootfs = overlayfs:/readonly-dir:writeable-dir
5. add a set of simple clone testcases
6. Write a new lxc_clone.c based on api clone.
Still to do (there's more, but off top of my head):
1. support zfs, aufs
2. have clone handle other mount entries (right now it only clones
the rootfs)
3. python, lua, and go bindings (not me :)
4. lxc-destroy: if lvm backing store, check for snapshots of it.
(what about directories which have overlayfs clones?)
Changes since v2:
Initialize random generator when picking new macaddr (reported
by caglar@10ur.org)
Fix wrong use of bitmask flags
On copy-clone of btrfs, create a subvolume
lxc_clone.c: respect the command line usage of the old script
lxc-clone(1): update documentation
Refuse to try changing backing stores expect to overlayfs, as
it is not implemented (yet) anyway.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Conflicts:
src/lxc/utils.h
Commit 69fe23ff added checking for the older docbook2man back into
configure, but this breaks building the docs on at least Oracle Linux and
Fedora when docbook2X is not installed as docbook2man will be found but the
docs don't actually build with that tool.
This change makes it so the docs can be built with either the older
docbook2man or the newer 2X tools by using configure to set the dtd
string to an appropriate value depending on use of docbook2man or
db2x_docbook2man.
Also fixed a small error in lxc-destroy.sgml.in that was noticed
by the old tools.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This adds a reference to capabilities(7) to the lxc.conf manpage.
Signed-off-by: Tomáš Pospíšek <tpo_deb@sourcepole.ch>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a long standing issue that there could only be a single
lxc-monitor per container.
With this change, a new lxc-monitord daemon is spawned the first time
lxc-monitor is called against the container and will accept connections
from any subsequent lxc-monitor.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This patch introduces the --clear-env and --keep-env options for
lxc-attach, that allows the user to specify whether the environment
should be passed on inside the container or not.
This is to be expanded upon in later versions, this patch only
introduces the most basic functionality.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This patch fixes a small typo in the man page.
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is mostly to make debuild happy as it doesn't tolerate any
leftover file when building twice in a row.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
I recently noticed that the generated tarballs with "make dist"
were incomplete unless the configure script was run on a machine
with all possible build dependencies.
That's wrong as you clearly don't need those dependencies to generate
the tarball. This change fixes that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
I remember discussion about implementing proper way to shutdown
guests using different signals, so here's a patch proposal.
It allows to use specific signal numbers to shutdown guests
gracefully, for example SIGRTMIN+4 starts poweroff.target in
systemd.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The id ordering and case of u,g is also consistent with uidmapshift,
reducing confusion.
doc: Moved example to the the EXAMPLES section, and used values
corresponding to the defaults in the pending shadow-utils subuid patch.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Add initial support for showing and querying nested containers.
This is done through a new --nesting argument to lxc-ls and uses
lxc-attach to go look for sub-containers.
Known limitations include the dependency on setns support for the PID
and NETWORK namespaces and the assumption that LXCPATH for the sub-containers
matches that of the host.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Allow for an additional --host parameter to lxc-ps hiding all processes running
in containers.
Signed-off-by: Guido Jäkel <G.Jaekel@dnb.de>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
For the lxc-* C binaries, introduce a -P|--lxcpath command line option
to override the system default.
With this, I can
lxc-create -t ubuntu -n r1
lxc-create -t ubuntu -n r1 -P /home/ubuntu/lxcbase
lxc-start -n r1 -d
lxc-start -n r1 -d -P /home/ubuntu/lxcbase
lxc-console -n r1 -d -P /home/ubuntu/lxcbase
lxc-stop -n r1
all working with the right containers (module cgroup stuff).
To do:
* lxc monitor needs to be made to handle cgroups.
This is another very invasive one. I started doing this as
a part of this set, but that gets hairy, so I'm sending this
separately. Note that lxc-wait and lxc-monitor don't work
without this, and there may be niggles in what I said works
above - since start.c is doing lxc_monitor_send_state etc
to the shared abstract unix domain socket.
* Need to handle the cgroup conflicts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also fix some tabs-as-spaces in lxc_unshare.c itself.
lxc-unshare: run usage() on '-h'
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
And doing so pointed out a bug in lxc-clone itself - it claims
default fssize is 2G. It's not.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The lua binding is based closely on the python binding. Also included are
a test program for excercising the binding, and an lxc-top utility for
showing statistics on running containers.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The 3.8 kernel now supporst uid mappings, so I believe it's appropriate
to proceed with this patchset.
The container config supports new entries of the form:
lxc.id_map = U 100000 0 10000
lxc.id_map = G 100000 0 10000
meaning map 'virtual' uids (in the container) 0-10000 to uids
100000-110000 on the host, and same for gids. So long as there are
mappings specified in the container config, then CONFIG_NEWUSER will
be used when the container is cloned. This means that container
setup is no longer done with root privilege on the host, only root
privilege in the container. Therefore cgroup setup is moved from the
init task to the monitor task.
To use this patchset, you currently need to either use the raring
kernel at ppa:serge-hallyn/usern-natty, or build your own kernel
from either git://kernel.ubuntu.com/serge/quantal-userns.git.
(Alternatively you can use Eric's tree at the latest userns-always-map-*
branch at
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
but you will likely want to at least enable tmpfs mounts in user namespaces)
You also need to chown the files in the container rootfs into the
mapped range. There is a utility at
https://code.launchpad.net/~serge-hallyn/+junk/nsexec to do this.
uidmapshift does the chowning, while the container-userns-convert
script nicely wraps that program. So I simply
sudo lxc-create -t ubuntu -n r1
sudo container-userns-convert r1 200000
will create a container which is shifted so uid 0 in the container
is uid 200000 on the host.
TODO: when doing setuid(0), need to only do that if 0 is one of the
ids we map to. Similarly, when dropping capabilities, need to only
not do that if 0 is one of the ids we map to. However, the question
of what to do for 'weird' containers in private user namespaces is
one I'm punting for later.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Ok... Here's the patch again. Since Serge is removing the loglevel
structure member, this patch no longer references that element.
From the original description:
1) Removes run_makedev() and the call to it from conf.c per discussion.
2) Adds an lxc.hook.autodev hook.
Note: This hook is very close (one routine level abstracted) from where
the run_makedev was called. Anyone really rrreeeaaalllyyy needing
MAKEDEV can add it in with a small shim script to do whatever they want
under whatever distro they're using, so no functionality is lost there.
3) Added a number of environment variables for all the hook scripts to
reference to assist in execution. Things like LXC_ROOTFS_MOUNT could be
very useful but others were added as well. Room for more if anyone has
an itch. All in one spot in lxc_start.c.
4) clearenv and putenv( "container=lxc" ) calls were moved to just after
the "start" hook in the container just prior to actually firing up the
container so we could use environment variables prior to that and have
them flushed them before firing up init. Nice side effect is that you
can define environment variables and then call lxc-start and have them
show up in those hooks scripts.
5) I actually DID update the man page for lxc.conf! I guess I lied when
I said I wouldn't get that done.
[... and ...]
I added the rcfile to the lxc_conf structure as suggested and moved the
setenv bundle from lxc-start.c over to start.c just prior to calling
run_lxc_hooks for the pre-start hook.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc-start -c makes the named file/device the container's console, but using
this with a regular file in order to get a log of the console output does
not work very well if you also want to login on the console. This change
implements an additional option (-L) to simply log the console's output to
a file.
Both options can be used separately or together. For example to get a usable
console and log: lxc-start -n name -c /dev/tty8 -L console.log
The console state is cleaned up more when lxc_delete_console is called, and
some of the clean up paths in lxc_create_console were fixed.
The lxc_priv and lxc_unpriv macros were modified to make use of gcc's local
label feature so they can be expanded more than once in the same function.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Re-introduce the old lxc-ls script and manpage under a new legacy
sub-directory.
Those will be installed in place of their python equivalent when LXC
is built without --enable-python.
Any other script ported to python should be added to those lists.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This rewrite is mostly compatible with the shell version.
--active and -1 still work and behave as they used to.
This adds --running, --stopped and --frozen as state filters.
A new "fancy" view is also implemented (can be used with --fancy) and
will show containers in a column-based interface with the following fields:
- name
- state
- ipv4
- ipv6
- pid of init
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add a container config option to mount and populate /dev in a container.
We might want to add options to specify a max size for /dev other than
the default 100k, and to specify other devices to create. And maybe
someone can think of a better name than autodev.
Changelog: Don't error out if we couldn't mknod a /dev/ttyN.
Changelog: Describe the option in lxc.conf manpage.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Add option to create a pidfile for lxc-start. This is helpful for
init scripts and process monitors when running as daemon.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
In some cases it may be useful to pass a full path to an executable
template script directly to lxc-create.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
docbook2x-man doesn't have the same name on Debian based systems as
on RedHat based systems, add some magic to configure.ac to detect and
substitute the proper name in Makefile.am
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The package 'docbook-tools' [1] required to format Docbook 3.0 into man pages
has been obsoleted a long time ago and can no longer be downloaded from its
former homepage. Recent versions of that package -- now called 'docbook2X' --,
cannot deal with that old markup format anymore (and don't support the '-w all'
command line switch either). To remedy these issues, all SGML files have been
updated to Docbook 4.5 so that recent versions of docbook2man can process them.
[1] http://sources.redhat.com/docbook-tools/
[2] http://docbook2x.sourceforge.net/
Signed-off-by: Peter Simons <simons@cryp.to>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Change 5fd8314f removed the README file explaining why the
rootfs directory has to exist. Doing so broke the build on
Fedora 17 since this directory will not be created by make
install and thus the spec file cannot find it.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 9a84044bc97098821cce2721ea40a1368f17a091.
The changes made the branch to fail to build on Ubuntu/Debian, so
reverting the commits and re-opening the pull request.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 8587ac4b855b7b66931a37742c45cd2c8c624658.
The changes made the branch to fail to build on Ubuntu/Debian, so
reverting the commits and re-opening the pull request.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The package 'docbook-tools' [1] required to format Docbook 3.0 into man pages
has been obsoleted a long time ago and can no longer be downloaded from its
former homepage. Recent versions of that package -- now called 'docbook2X' --,
cannot deal with that old markup format anymore (and don't support the '-w all'
command line switch either). To remedy these issues, all SGML files have been
updated to Docbook 4.5 so that recent versions of docbook2man can process them.
[1] http://sources.redhat.com/docbook-tools/
[2] http://docbook2x.sourceforge.net/
Signed-off-by: Peter Simons <simons@cryp.to>
This turns liblxc into a public library implementing a container structure.
The container structure is meant to cover most LXC commands and can easily be
used to write bindings in other programming languages.
More information on the new functions can be found in src/lxc/lxccontainer.h
Test programs using the API can also be found in src/tests/
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When attaching to only some namespaces of the container but not the mount
namespace, the contents of /sys and /proc of the host system do not properly
reflect the context of the container's pid and/or network namespaces, and
possibly others.
The introduced -R option adds the possibility to additionally unshare the
mount namespace (when it is not being attached) and remount /sys and /proc
in order for those filesystems to properly reflect the container's context
even when only attaching to some of the namespaces.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
This patch allows the user to select any list of namespaces (network, pid,
mount, uts, ipc, user) that lxc-attach should use when attaching to the
container; all other namespaces will not be attached to.
This allows the user to for example attach to just the network namespace and
use the host's (and not the container's) network tools to reconfigure the
network of the container.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Make 'dir' an explicit backing store type, which accepts '--dir rootfs'
as an option to specify a custom location for the container rootfs. Also
update lxc-destroy to now remove the rootfs separately, as removing
@LXCPATH@/$name may not hit it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
