This should satisfy several use cases. The one I tested for was CNI.
I replaced the network configuration in a root owned container with:
lxc.net.0.type = empty
lxc.hook.start-host = /bin/lxc-start-netns
where /bin/lxc-start-netns contained:
=================================
echo "starting" > /tmp/debug
ip link add host1 type veth peer name peer1
ip link set host1 master lxcbr0
ip link set host1 up
ip link set peer1 netns "${LXC_PID}"
=================================
The nic 'peer1' was placed into the container as expected.
For this to work, we pass the container init's pid as LXC_PID in
an environment variable, since lxc-info cannot work at that point.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
We can't rely in general on the presence of an initialized conf on cgroup init
time. One good example are our criu codepaths.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
So far, we silently skipped over limits that failed to be applied which is very
odd. Let's error on when cgroup limits fail to apply.
Closes#1815.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Because the `fetch` wget wrapper outputs files to stdout we may end up in a
situation where wget fails but the files are still created. This can happen
e.g. when the host date is out of sync leading to a failed certificate
check, resulting in the creation of empty key files.
Once the empty files have been created the template will try to use them which
causes the certificate check to fail.
By using `-s` instead of `-f` the template will re-fetch the files unless they
exist AND have a size greater than zero.
Signed-off-by: Rune Juhl Jacobsen <runejuhl@petardo.dk>
The hooks (e.g. lxc.hook.mount) should have the environment variables the user
gave us available.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
To match names beginning with the letters "f" or "b" one can use
the regular expression "[fb].*" or "(f|b).*", but not "[f|b].*",
which would match strings beginning with "f", "|", or "b".
Signed-off-by: Christian von Roques <roques@z12.ch>
Since some remounts/umounts is executed in the plamo shutdown script,
the filesystem on where a container exists might be mount as
read-only. This patch delete some mounts and umounts from the shutdown
script. It also delete hwclock setting process.
And delete an unncecessary output.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
When the "lxc.rootfs.path" property is not set and users request a container
copy we would segfault since strstr() would be called on a NULL pointer.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This is technically not necessary but it is a privilege sensitive operation.
Meaning if anyone wants to do something that requires privilege it should be
done before the id switch. So let's move the id switch immediately before the
exec so that it's called at the last possible moment.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Users were confused when the config file created during cloning or copying a
container suddenly missed all newlines. Let's keep them.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
