For instance
lxc.include = /var/lib/lxc/commonopts
in /var/lib/lxc/q1/config would cause the configuration in
/var/lib/lxc/commonopts to be loaded when container q1 starts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hi,
This patch is so far just a proof of concept. The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.
This patch introduces support for seccomp to lxc. Seccomp lets a program
restrict its own (and its children's) future access to system calls. It
uses a simple whitelist system call policy file. It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).
I just wanted to get this out there as a first step. You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Allow to specify a timeout for waiting on state changes via lxc-wait.
Helpful for scripts that need to handle errors or excessive delays in
state changing procedures.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Commit 21e487f2 introduced the use of getopt, but getopt will fail when
it sees arguments meant for netstat that are not in [short|long]options.
There should not be any ambiguity about arguments with the same letter:
those to the left of the -- are destined for lxc-netstat and those to
the right for the real netstat, which the original code handles by
shifting out all arguments it recognizes before the -- is hit.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ps is supposed to pass arguments after the -- on to ps. The problem is
that i is expanded once from $@ and the loop will iterate over all the
arguments that were in $@ at the time of expansion. Inside the loop, there
are shifts (in the name case for example) that are trying to remove more
than a single argument. This changes fixes that and makes lxc-ps work as
documented.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Change 910bb4fa obviated the need for the --with-linuxdir configure
option which means that the ksrc rpm macro no longer makes sense either.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Note that an additional Release field is not necessary for the devel package
as it will follow the primary Release field. For more information on the dist
tag, see http://fedoraproject.org/wiki/Packaging:DistTag
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
* 'upstream-bugfix' of https://github.com/lxc/lxc: (47 commits)
replace HOOK define with proper code.
Remove lxc-start-ephemeral from configure.ac
revert devtmpfs in ubuntu templates
lxc-ubuntu{-cloud}: Fix missing "fi" in new devtmpfs code
fix "make rpm"
display warning when yum missing in fedora template
templates: mount devtmpfs in ubuntu containers
handle clone of btrfs snapshots
if the rootfs is a btrfs subvolume, delete it instead of rm -rf
lxc-debian: replace isc-dhcp-server by isc-dhcp-client
lxc-ls: Scan cgroup mount points from fstype and not device
Allow short -h and -n options to lxc-ps
lxc-ubuntu: fix printing of default user
lxc-debian: specify isc-dhcp-server in package list
try to better handle out of date container caches.
link /dev/kmsg to /dev/console in the container
lxc-clone: fix the '--name' parameter
lxc-ls: Use readlink on $directory
lxc-busybox: Use relative mounts in lxc.mount.entry
busybox: for all lib dirs create mounts only if directories exist
...
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-start-ephemeral.in ended up in configure.ac as a result of the
cherry-pick. This new tool hasn't been pulled in yet.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The "if" statement to add devtmpfs was missing a matching "fi" causing parsing
error when using the template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
RPM doesn't like "-" in the version number and gives:
"error: line 24: Illegal char '-' in: Version: 0.8.0-rc2"
Other packages (bind-utils for example) have used . instead
of - as a seperator.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Fix determination of $oldroot from the config file. The old code had the '
in the wrong place and didn't account for whitespace between the = and
the rootfs.
Set $rootfs based on $oldroot instead of forcing it to be in
$lxc_path/$lxc_new/rootfs. This allows for btrfs snapshot to be made even if
$lxc_path isn't on the same filesystem. If $oldroot isn't a subvolume,
fall back to making a copy.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
The DHCP client should be isc-dhcp-client, not isc-dhcp-server.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
lxc-ls --active now scans mount points that have the 'cgroup' filesystem
type and not the 'cgroup' device name (which is ignored anyway and may be
anything).
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
For a lucid container, apt-get update before installing the source package for
add-apt-repository, so that apt-get does not fail.
If apt-get dist-upgrade fails, suggest running lxc-create with -F.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This way init log messages can be seen on the console. If containerized
syslog ever comes around, we can get rid of this.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc-ls was failing in cases where $directory is a symlink to another
directory. Instead have $directory be generated from the output of
readlink -f "$lxc_path".
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
To make it easier to clone/rename the container, replace hardcoded
entries (with rootfs in the destination path) by rootfs-relative entries.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
I was getting raw nroff ".SH DESCRIPTION" in my man pages. This fixes
the synopsis cmd args so that doesn't happen. Added replaceable to a few
arguments.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
This fixes a case where lxc.utsname would be set empty as copy_configuration
wasn't getting the container name.
Signed-off-by: Rex Tsai (蔡志展) <rex.tsai@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds a SIGINIT and SIGPWR handler in the default inittab for
the Debian template. This allows lxc-shutdown/lxc-restart and their API calls
to properly shutdown or reboot the container.
Signed-off-by: Rex Tsai (蔡志展) <rex.tsai@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
configure.ac used to set the template path to /usr/share/lxc/templates.
Instead use ${datadir} to make it follow ${prefix}.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
If rootfs is a symbolic link but not to a block device, then do a separate
rm of its contents. We have to do this because, out of cowardice, we call
rm with --one-filesystem.
Removing the '-o -h $rootdev' is ok, because if $rootdev is a symbolic
link to a block device (including lvm blockdev) then -b will still return
true.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
That means, don't try to pin a null rootfs, and don't try to mount /proc
since /var/lib/lxc/root/proc doesn't exist to be mounted onto.
The apparmor patches are not yet upstream, so this patch will not go
upstream by itself.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When passing '--userdata somefile' to the ubuntu-cloud template, a user
may pass a relative pathname. The template uses the filename after
changing current directory, so store the full pathname for the userdata
file instead of a potential relative pathname.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
On Debian and Ubuntu, the default host-name field in dhclient.conf is
set to either "<hostname>" or "gethostname()" both of which get replaced
by the machine's hostname at query time.
The sed call currently present in lxc-clone hardcodes the hostname in
dhclient.conf, causing dpkg to prompt on isc-dhcp updates.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
