Some features of lxc - networking and LSM configuration for instance -
are generally configured by the distro packages. This program
tests the Ubuntu configuration.
changelog v2:
Switch to lxc-info -i to detect ip address as stgraber suggested
Don't look for 'expect' as I'm not using it yet.
changelog v3:
Make sure to only read one ip address from container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This mostly changes two things:
- Only log to the container's logfile on start/stop/restart/execute
- Call may_control() every time we use the API and return
"Insufficient privileges" on failure.
NOTE: I didn't test every single one of those but I'm fairly confident
in my copy/paste abilities and I confirmed they all build fine at least.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
give hint to user to modprobe configs (altho could just modprobe it?)
Signed-off-by: Elan Ruusamäe <glen@delfi.ee>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Otherwise, it cases problems on cbuild endianness != ctarget endianness
setups because /sbin/ldconfig expects elf header in the wrong endianness.
Signed-off-by: Andrey Mazo <ahippo@yandex.ru>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
* sync current English man pages on master branch
* delete lxc-shutdown.sgml.in
* add lxc-snapshot.sgml.in
* update FSF address (same as 250b1eec71)
* remove trailing whitespaces in legacy/lxc-ls.sgml.in (same as 8900b9eb25)
- When doing the selinux change, I noticed that there was a lot of
duplication of code in handing string configuration items, so I
refactored this into a common function.
- Added a config_string_max that can be passed a maximum acceptable
length, used to limit ttydir to NAME_MAX.
- The behavior of config_seccomp was different than other strings: if the
item was already defined, then the second attempt to set it would fail
instead of just replacing the value. Changed to just replace the value.
- Remove unused key and lxc_conf arguments to config_path_item().
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The original rationale for this was to make sure that if
lxcpath was /home/serge/lxcbase, then then lockdir
(/run/user/serge/lock/lxc/home/serge/lxcbase) would be
owned by the same user as /home/serge/lxcbase.
The only user who can chown to other uids (without CAP_CHOWN
added to fP) is root, who shouldn't be mucking with non-root
owned containers anyway. In the meantime this causes a bunch
of noise for arguably no benefit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is an api function which will return false if the container
is running, and the caller may not talk to its monitor over its
command socket. Otherwise - if the container is not running, or
the caller may access it - it returns true.
We can use this in several tools early on to prevent the segvs
etc which we currently get.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds quite a few more ways to mount the cgroup filesystem
automatically:
- Specify ro/rw/mixed:
- ro: everything mounted read-only
- rw: everything mounted read-write
- mixed: only container's own cgroup is rw, rest ro
(default)
- Add cgroup-full that mounts the entire cgroup tree to the
corresponding directories. ro/rw/mixed also apply here.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Improve lxc.mount.auto code: allow the user to specify whether to mount
certain things read-only or read-write. Also make the code much more
easily extensible for the future.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This adds a new -i flag to lxc-info to print the container's IP
addresses using get_ips().
Example:
$ lxc-info -n lxc-dev -s -p -i
state: RUNNING
pid: 21331
ip: 10.0.3.165
ip: 2607:f2c0:f00f:2751:e9ca:842f:efa9:97d1
ip: 2607:f2c0:f00f:2751:216:3eff:fe3a:f1c1
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- change get_template_path() to only return NULL or non-NULL since one of
the callers was doing a free(-1) which caused the segfault. Handle the
NULL template case in the lxcapi_create() caller.
- make sure to free(tpath) in the sha1sum_file() failure case
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Currently, a maximum of one LSM within LXC will be initialized and
used. If in the future stacked LSMs become a reality, we can support it
without changing the configuration syntax and add support for more than
a single LSM at a time to the lsm code.
Generic LXC code should note that lsm_process_label_set() will take
effect "now" for AppArmor, and upon exec() for SELinux.
- fix Oracle template mounting of proc and sysfs, needed when using SELinux
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Don't worry about saved_errno since none of the *_free routines will set it
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This one's easier to review by looking at the before and after files. It
splits up lxc_cgroup_load_meta2() by adding 3 helpers.
The result seems easier to reason about. A question I had, is, should
the kernel_subsystems ** be freed in the success case? I assumed it was
being used elsewhere but I can't find where. Currently it is only being
freed in the error case. I suspect we want to free it in the success
case as well.
Cc: Christian Seiler <christian@iwakd.de>
Cc: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Character encoding of Japanese man pages is UTF-8. But docbook-utils
can't treat it (and don't have --encoding option that use in
Makefile). So change to Japanese man pages is not generated when
docbook-utils is used.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
In lxc_cmd(), we use
snprintf(path, len, "%s/%s/command", lxcpath ? lxcpath : inpath, name);
to fill sock name, this assume lxcpath have no trailing slashes, so
if we use
lxc-info -n test -P /usr/local/var/lib/lxc_anon/
to get a running container's state, we will get state: STOPPED which
is wrong, because we combine a wrong sock name.
To fix this, just remove trailing slashes when parsing arguments.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The API header was included in a variety of ways before, standardize
those to "include <lxc/lxccontainer.h>" as this will always work both in
tree and on a system with the headers installed.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
info to help users locate the misconfig.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
