Display help information in a consistent format.
Print error messages and help information to stderr. Prefix error
messages with the name of the script (for easier debugging as part
of larger scripts).
Allow help information to be printed as a non-root user.
Fix file mode for lxc-checkconfig.in.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Use bash instead of perl; eliminates final lxc dependency on perl
(beneficial for minimal operating system environments).
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Maintain column spacing. Expand container name column as necessary.
Properly handle spaces in 'ps' output that are not field separators
(for example, try 'lxc-ps -o pid,args').
Fix file mode in repository.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Change method of bind mounting /proc/<pid>/net onto /proc/net, to
avoid error "cannot mount block device /proc/<pid>/net read-only".
Check that user is root. Check that container name is specified
before calling 'exec'.
Update the help information.
Print error messages and help information to stderr.
Make indentation consistent.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Add an '--active' option that lists active containers by searching
cgroups. (Otherwise, the directories in /var/lib/lxc are listed.)
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Add a '--help' option that prints the command syntax.
Print error messages and help information to stderr.
Update the documentation.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Obtain a list of subsystems from /proc/cgroups, and ignore hierarchies
that are not bound to any of them (especially the 'systemd' hierarchy:
http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups ).
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
To attach a new pid to the cgroups for an existing container, we can use
the same method that we did when we started the container: iterate over
all the mounted cgroup hierarchies; find the cgroup that pid 1 is in for
each hierarchy; add 'lxc/<name>' to the end of it; then write the pid to
the 'tasks' file in that cgroup. (The only difference is that we do not
create the cgroup again.) Note that we follow exactly the same iteration
pattern to delete our cgroups when a container is shutdown.
There may be situations where additional cgroups hierarchies are mounted
after the container is started, or the cgroup for pid 1 gets reassigned.
But we currently don't handle any of these cases in the shutdown code or
anywhere else, so it doesn't make sense to try to handle these cases for
lxc-attach by itself. Aside from simplifying the code, this change makes
it easier to solve a different problem: ignoring hierarchies that are
not bound to any subsystems (like 'systemd').
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-cgroup gets or sets the value of a state object (such as
'cpuset.cpus'), not the value of a subsystem (which would be
just 'cpuset').
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When a hierarchy contains the 'ns' subsystem, do not append '/lxc'
to the parent cgroup. Update surrounding comments for consistency.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Having a rootfs is not a necessary condition for monitoring utmp, since
/var or /var/run can just be remounted inside the container instead. We
should rely on the other two conditions already in place to decide
whether to monitor the utmp file:
- the container was started with 'lxc-start', which indicates that it
has a real init process and is expected to write to a utmp file
- support for CAP_SYS_BOOT was not found in the kernel, which would
otherwise supersede utmp monitoring
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If CAP_SYS_BOOT is not found in the kernel, the existing value for
conf->need_utmp_watch should be left intact (which will be '1' for
containers started with 'lxc-start', or '0' for containers started
with 'lxc-execute').
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
execvp does not require specifying the full path to the executable
(e.g., "ls" instead of "/bin/ls"), making the operation of 'lxc-attach'
consistent with 'lxc-start' and 'lxc-execute'.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
__NR_setns is defined in the Linux kernel headers in linux/unistd.h.
The full Linux kernel sources are not necessary for compilation.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
(which reminds me a lxc-clone manpage still needs to be written)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
1. fix inconsistent use of '--auth-key' (not --auth_key) which broke their
usage
2. add --debug option to lxc-ubuntu (which does set -x to show what broke)
(idea from Idea from lifeless and benji)
3. fix incorrect assumption about group with -b option. User's default group
may not be the same as username.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
We were doing the check for whether we need to watch utmp from a
thread cloned from that which will actually do the utmp watching.
As a result, the utmp file was always being watched, even if it
didn't need to be.
Move the check to the parent thread.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/948623
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
when using ns cgroup, use /cgroup/<init-cgroup> rather than
/cgroup/<init-cgroup>/lxc
At least lxc-start, lxc-stop, lxc-cgroup, lxc-console and lxc-ls work
with this patch. I've tested this in a 2.6.35 kernel with ns cgroup,
and in a 3.2 kernel without ns cgroup.
Note also that because of the check for container reboot support,
if we're using the ns cgroup we now end up with a /cgroup/<container>/2
cgroup created, empty, by the clone(CLONE_NEWPID). I'm really not
sure how much time we want to spend cleaning such things up since
ns cgroup is deprecated in kernel.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Otherwise there is no clear indication to the user why the container
startup failed.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Add a macaddr if precisely one veth is specified but no hwaddr. Allow
specifying ssh authkeys. In cloud template, copy locales by default and allow
a tarball to be specified.
Signed-off-by: Ben Howard <ben.howard@canonical.com>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
1. --path is meant to be passed by lxc-create, but should not be passed
in by users. Don't advertise it in --help.
2. --clean syntax ends up not making much sense. Get rid of it, and
add '--flush-cache' option instead.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The option is implied by '-d', because the admin won't see the warning
message.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Author: Stéphane Graber <stgraber@ubuntu.com>
Use ubuntu/ubuntu instead of root/root by default. Stop
removing tty[56].conf in Precise. Stop messing with dhclient.conf.
Set devttydir on Precise to /dev/lxc to allow for clean upgrades.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If set, then the console and ttys will be bind-mounted not over /dev/console,
but /dev/<ttydir>/console and then symlinked from there to /dev/console.
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This is a new template to create containers based on the ubuntu
cloud images, rather than using debootstrap.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxcguest is no longer needed, as precise should boot in a container
un-modified.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
netstat -x sometimes spits errors to stderr like:
warning, got bogus unix line.
Shut those up as they don't help lxc-ls.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
In order for reboot(LINUX_REBOOT_CMD_CADON) to detect whether
container reboot is supported, it must be done in a non-init
pid namespace. Fix that.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The 'lxc-init' (a lightweight init process used by lxc-execute in place of
upstart etc) tries to mount /dev/shm during startup. If that fails (for
instance /dev/shm does not exist) then it aborts execution and returns -1. This
is unreasonable as very few applications actually need /dev/shm.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Don't call it an error if a container exits without calling sys_reboot.
Particularly since that will almost always be the case with lxc-execute.
This fixes a regression introduced in commit
"49296e2ebfe7c5f9d6ebafbb54f5c5e56a0cc085: support proper container
reboot"
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Support building a container of a foreign architecture if
qemu-user-static is installed. This is done by installing some packages
of the host architecture in the container using multi-arch.
Author: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If a container has created its own cgroups, i.e. by running libvirtd,
then if we don't delete all child cgroups, then the rmdir will fail.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Use the correct path for the container's cgroup task file.
Also exit out early and cleanly if the container is not running,
and bind-mount /proc/$pid/net with '-n' to keep the entry out
of mtab, else the mtab entry will never go away.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch looks for Daniel's kernel patch allowing the lxc monitor
to tell container reboot from shutdown based on the exit signal. If
that patch is not there, utmp monitoring is used. Otherwise, it only
looks for the signal. Note that the 'conf->need_utmp_watch' is
technically not necessary, as there is no harm in watching the utmp
file.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
when --lvname is given, use that for lvcreate instead of using
lxc_name, which is wrong.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
1. Some templates copy the cached pristine rootfs using 'cp a b' where b is
$lxc_path/$name/rootfs. That doesn't do the right thing if rootfs already
exists, as it will when it is an lvm or other mount. So switch to
'rsync a/ b/'. (cp can be made to work too of course).
2. Update lxc-create to support backing stores. For now only lvm is
implemented.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Don't delete a running container. If it's running, abort the delete
unless a new '-f' (force) flag is given, in which case, stop it first.
Handle the case where we can't find $rootfs in config
Fix broken detection of lvm backing store
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
With this patch, I can start a container 'o1' inside another container 'o1'.
(Of course, the containers must be on a different subnet)
Detail:
1. Create cgroups for containers under /lxc.
2. Support nested lxc: respect init's cgroup:
Create cgroups under init's cgroup. So if we start a container c2
inside a container 'c1', we'll use /sys/fs/cgroup/freezer/lxc/c1/lxc/c2
instead of /sys/fs/cgroup/freezer/c2. This allows a container c1
to be created inside container c1 It also allow a container's limits
to be enforced on all a container's children (which a MAC policy could
already enforce, in which case current lxc code would be unable to nest
altogether).
3. Finally, if a container's cgroup already exists, rename it rather than
failing to start the container. Try to WARN the user so they might go
clean the old cgroup up.
Whereas without this patch, container o1's cgroup would be
/sys/fs/cgroup/<subsys>/o1,
it now becomes
/sys/fs/cgroup/<subsys>/<initcgroup>/lxc/o1
so if init is in cgroup '/' then o1's freezer cgroup would be:
/sys/fs/cgroup/freezer/lxc/o1
Changelog:
. make lxc-ps work with separate mtab. If cgroups were mounted with -n,
and mtab is not linked to /proc/self/mounts, then 'mount -t cgroup' won't
show these mounts. So make lxc-ps not use it, but rather use
/proc/self/mounts directly.
. lxc-ls in the past assumed that a container's cgroup was just '/<name>'.
Now it is '/<host-init-cgroup>/lxc/<name>'. Handle that.
. first version of this patch was setting clone_children on
<path-to-cpusets-cgroup>/<init-cgroup>/lxc, not the parent of that dir.
That failed to initialize that cgroup, so tasks could not enter it.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Particularly for LTS releases, which many people will want to use in
their containers, it is not wise to not use -security and -updates.
Furthermore the fix allowing ssh to allow the container to shut down
is in lucid-updates only.
With this patch, after debootstrapping a container, we add -updates
and -security to sources.list and do an apt-get upgrade under chroot.
Unfortunately we need to do this because debootstrap doesn't know how
to.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
