This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.
Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.
With this policy, libvirt in a container is able to start its
default network, which previously it could not.
v2: address feedback from stgraber
put lxc-generate-aa-rules.py into EXTRA_DIST
add lxc-test-apparmor, container-base and container-rules to .gitignore
take lxc-test-apparmor out of EXTRA_DIST
make lxc-generate-aa-rules.py pep8-compliant
don't automatically generate apparmor rules
This is only bc we can't be guaranteed that python3 will be
available.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
oracle-template: Split patching rootfs vs one time setup into separate
shell functions so the template can be run with --patch.
oracle-template: Update to install the yum plugin and itself (as lxc-patch)
into a container. The plugin just runs lxc-patch --patch <path> so it is
fairly generic, but in this case it is running a copy of the template inside
the container.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If a default mode is not set, the container requires an explicit
mode specified in the config file, otherwise creating the
container fails.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Using the multiarch dir causes problems when running lxc-execute
on amd64 with an i386 container. /sbin/lxc-init is a more confusing
name and will show up in 'lxc<tab>'. /sbin/init.lxc should be quite
obvious as an init for lxc.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
this expands c597baa8f9 and 2c6f3fc932.
Also move the block using detect_ramfs_rootfs() from setup_rootfs() to
lxc_setup()
Signed-off-by: Florian Klink <flokli@flokli.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add LXC_NET_NONE to known lxc_network_types, so parsing a config
file with lxc.network.type = none does not result in failure
(e.g. doc/examples/lxc-no-netns.conf). Options have also been
reordered to match the enum in conf.h.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If we start a lxc_wait on a container while it is exiting, it is
possible that we open the command socket, then the command socket
monitor closes all its mainloop sockets and exit, then we send our
credentials. Then we get killed by SIGPIPE.
Handle that case, recognizing that if we get sigpipe then the
container is (now) stopped.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This updates all configs to include the exact same set of 7 bind-mounted
devices:
- console
- full
- null
- random
- tty
- urandom
- zero
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Don't bother access information that the user didn't request.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This resolves the memory math when memsw is enabled and fixes reporting
of nested containers memory when using cgmanager.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Added the environment variable "root_password_expired" to
control if the initial, temporary, root password is initially
set up as "expired". If set to "yes" (default), the root password
is set as "expired" and the user must change it at first login.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Added code to catch SIGPWR for Upstart in Fedora and CentOS
containers as well as for Systemd in Fedora containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If the container does not already contain an /etc/localtime
timezone definition, then copy a definition from the host to
the container. This is often a symlink to an appropriate
system timezone definition files and is presumed to exist in
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Corner case existed when building a cross-arch container (i686 on x86_64)
on a cross-distro host (Fedora container on Ubuntu host). Fixed the
arch "fixup" code to do the right thing when running from the bootstrap.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init
in the container were those from /dev/tty or lxc.console (if given), which
wasn't right. Inside the container it should only have access to the pty
that lxc creates representing the console.
This was noticed because busybox's init was resetting the termio on its
stdin which was effecting the actual users terminal instead of the pty.
This meant it was setting icanon so were were not passing keystrokes
immediately to the pty, and hence command line history/editing wasn't
working.
Fix by dup'ing the console pty to stdin,stdout,stderr just before
exec()ing /sbin/init. Fix fd leak in error handling that I noticed while
going through this code.
Also tested with lxc.console = none, lxc.console = /dev/tty7 and no
lxc.console specified.
V2: The first version was getting EBADF sometimes on dup2() because
lxc_console_set_stdfds() was being called after lxc_check_inherited()
had already closed the fds for the pty. Fix by calling
lxc_check_inherited() as late as possible which also extends coverage
of open fd checked code.
V3: Don't move lxc_check_inherited() since it needs to be called while
the tmp proc mount is still mounted. Move call to lxc_console_set_stdfds()
just before it.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It looks like either libdbus or libnih is showing some corruption with
threaded access to the cgmanager-client library. Until we can
straighten that out, mutex access to the cgmanager.
The worst part of this is having to take and drop the mutex at every
fork. This also means that we can't keep a connection open for the
duration of container startup, since that would deadlock forks.
If we were going to keep it like this, then we could get rid of some
code in start.c. However we take a performance hit here which I
really hope we can rectify soon.
The other approach we could take would be to keep a global count of
references to cgroup_manager. Mutex the open, close, and each use
of the cgroup_manager proxy (and the inc/dec of the refcount). This
way we could in fact keep the connection open for the duration of
container start. The atfork handler child_fn would have to close
the connection if open.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
/etc/mtab doesn’t exist after bootstrapping a debian container, and will
be created as regular file after first start.
That leads to at least two errors:
- output of `mount` is wrong and get messed up the more often you
start/stop the container
- /dev/pts/ptmx has wrong permissions
Signed-off-by: Holger Amann <holger@sauspiel.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This should finally silence this test for good :)
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When cgmanager is around, use dbus-send to setup the cgroups, this
allows the tests to work in a container without cgroupfs access.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
You can have both cgmanager and cgfs compiled in, and lxc will fall back
at runtime to cgfs if it cannot connect to cgmanager, so print the failure
to connect as a DEBUG like the code used to do.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
There are two parts to this fix.
First, create a private DBusConnection manually, instead of using
nih_dbus_connect. The latter always creates a shared connection,
which cannot be closed. Note: creating an actual shared connection,
mutexing it among all threads, and creating per-thread proxies would
be an alternative - however we don't want long-lived connections as
they tend not to be reliable (especially if cgmanager restarts).
Second, use pthread_setspecific to create per-thread keys which can
be associated with destructors. Specify a destructor which closes
the dbus connection. If a thread dies while holding cgmanager,
the connection will be closed. Otherwise, we close the connection
and unset the key.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Depending on where during container creation we failed, cgroup_path
may be NULL. Don't try to delete the cgroup in that case.
(Also fix a wrong function name in an ERROR message)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Opening a debug log for every thread at every iteration of test-concurrent
causes it to quickly run out of fd's because this fd is leaked. Fix this
by adding a new api: lxc_log_close().
As Caglar noted, the log handling is in general a bit "interesting" because
a logfile can be opened through the per-container api
c->set_config_item("lxc.logfile") but lxc_log_fd is now per-thread data. It
just so happens in test-concurrent that there is a 1:1 mapping of threads
to logfiles.
Split out getting debug logs from quiet since I think they are useful
separately. If debug is specified, get a log of any mode, not just during
start.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
It's often been reported that the behavior of lxc-create without -t is a
bit confusing. This change makes lxc-create require the --template
option and introduces a new "none" special value which when set will
fallback to the old template-less behavior.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
