Commit Graph

2861 Commits

Author SHA1 Message Date
Serge Hallyn
fbb1625948 conf.c: fix unprivileged network case
If unprivileged users are using a veth nic, then ifindex is still 0
at lxc_assign_network() (because lxc_create_network() was skipped).
So check for that case before we use lxc->ifindex to decide if we
have an empty network namespace.

We probably should change the !netdev->ifindex check to a
netdev->type == LXC_NET_EMPTY check, but I've been making enough
mistakes today not to risk that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-19 23:29:06 +01:00
Serge Hallyn
7e7243e16b cgroup: don't set clone_children when it is already 1
In particular, if it's already 1, and we can't change it, we currently
fail out.  That's silly.

I was going to just always continue, but if clone_children is not 1,
then the container *will* fail to start later on, so I'd rather stop
earlier on so the original cause doesn't get lost in the noise.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-19 22:21:45 +01:00
Michael H. Warfield
58d6a17e02 Catch the python packages when building them.
If we have "with_python" we want to add the resulting packages to
the resulting rpm.

Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-19 22:19:30 +01:00
Stéphane Graber
a6adab20ff Add lxc-autostart
This introduces a new lxc-autostart binary (and associated manpage)
which will let you start/shutdown/kill/restart any container that's
marked as lxc.start.auto=1. It respects the lxc.start.delay value,
sorts by lxc.start.order and filters by lxc.group.

By default it'll affect all containers that DO NOT have lxc.group
set. If -g is specified, ONLY containers in those group will be
affected. To have a command applied to all containers, the -a
argument can be used.

A -L flag is also offered for distributions wishing to start the
containers themselves while still using LXC's calculated order and
wait delays. Instead of performing the action, it'll print the container
name and (if relevant for the action) the wait time.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-19 21:56:25 +01:00
Stéphane Graber
cfd149a646 lxc-ls: Add workaround for nested containers
When accessing nested containers, hardcode the path to their config.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-19 21:53:15 +01:00
Stéphane Graber
7f8c403134 lxc-ls: Add lxc.start.auto and lxc.group support
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-19 21:49:19 +01:00
Stéphane Graber
ee1e7aa0eb autostart: Define lxc.start.* and lxc.group
First patch in the set of changes required for container autostart.

This commit adds the new configuration keys and parsers that will then
be used by lxc-start and lxc-stop.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
2013-12-19 21:48:27 +01:00
Serge Hallyn
b543ce9624 fix lxc-usernsexec regression
In what should have been a straightforward fix for a bug found by
priority, I sent 1 instead of '1' from parent to child, while the
child checked for '1'.  Fix.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-19 13:59:30 -06:00
S.Çağlar Onur
95b422fccf remove static_lock()/static_unlock() and start to use thread local storage (v2)
While testing https://github.com/lxc/lxc/pull/106, I found that concurrent starts
are hanging time to time. I then reproduced the same problem in master and got following;

 [caglar@oOo:~] sudo gdb -p 16221
 (gdb) bt
 #0  __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
 #1  0x00007f495526515c in _L_lock_982 () from /lib/x86_64-linux-gnu/libpthread.so.0
 #2  0x00007f4955264fab in __GI___pthread_mutex_lock (mutex=0x7f49556d4600 <static_mutex>) at pthread_mutex_lock.c:64
 #3  0x00007f49554b27a6 in lock_mutex (l=l@entry=0x7f49556d4600 <static_mutex>) at lxclock.c:78
 #4  0x00007f49554b2dac in static_lock () at lxclock.c:330
 #5  0x00007f4955498f71 in lxc_global_config_value (option_name=option_name@entry=0x7f49554c02cf "cgroup.use") at utils.c:273
 #6  0x00007f495549926c in default_cgroup_use () at utils.c:366
 #7  0x00007f49554953bd in lxc_cgroup_load_meta () at cgroup.c:94
 #8  0x00007f495548debc in lxc_spawn (handler=handler@entry=0x7f49200af300) at start.c:783
 #9  0x00007f495548e7a7 in __lxc_start (name=name@entry=0x7f49200b48a0 "lxc-test-concurrent-4", conf=conf@entry=0x7f49200b2030, ops=ops@entry=0x7f49556d3900 <start_ops>, data=data@entry=0x7f495487db90,
    lxcpath=lxcpath@entry=0x7f49200b2010 "/var/lib/lxc") at start.c:951
 #10 0x00007f495548eb9c in lxc_start (name=0x7f49200b48a0 "lxc-test-concurrent-4", argv=argv@entry=0x7f495487dbe0, conf=conf@entry=0x7f49200b2030, lxcpath=0x7f49200b2010 "/var/lib/lxc") at start.c:1048
 #11 0x00007f49554b68f1 in lxcapi_start (c=0x7f49200b1dd0, useinit=<optimized out>, argv=0x7f495487dbe0) at lxccontainer.c:648
 #12 0x0000000000401317 in do_function (arguments=0x1aa80b0) at concurrent.c:94
 #13 0x0000000000401499 in concurrent (arguments=<optimized out>) at concurrent.c:130
 #14 0x00007f4955262f6e in start_thread (arg=0x7f495487e700) at pthread_create.c:311
 #15 0x00007f4954f8d9cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

It looks like both parent and child end up with locked mutex thus deadlocks.

I ended up placing values in the thread local storage pool, instead of doing "unlock the lock in the child" dance

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-19 13:28:28 +01:00
Stéphane Graber
f4d5cc8e1f sshd: Don't bind-mount /sbin/init read-write
lxc-sshd was mounting itself (the template script) as /sbin/init in the
container using a writable bind-mount.

This shouldn't be needed and could lead to quite a few problems should
one of those containers overwrite /sbin/init for some reason.

Instead simply move to a read-only bind-mount which should prevent any
accidental dammage.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-19 12:17:39 +01:00
KATOH Yasufumi
07ece60087 Add Japanese man pages for lxc-user-nic
Update for commit df3415e022

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-18 12:31:03 +01:00
S.Çağlar Onur
06e5650eab introduce lxcapi_rename for renaming containers
lxcapi_rename implemented as a convenience function as lately
I find myself in a need to rename a container due to a
typo in its name. I could have started over but didn't want
to spend more time (to installing extra packages and changing
their configuration) on it.

c->clone() followed by c->destroy() did the trick for me and I
though it could be helpful to the other people, so here it is.

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-17 15:21:36 -06:00
Stéphane Graber
713893cdbc
change version to 1.0.0.beta1 in configure.ac
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-17 14:25:02 -05:00
Dwight Engen
8fc8295a16 make lxc.network.script.down consistent with lxc.network.script.up
- add missing print in lxc_list_nicconfigs() and in write_config() which
  fixes lxc-clone so it will propagate the script.down config value

- add missing "script.down" to lxc_get_item_nic(). change "upscript" to
  "script.up" to match actual key in config

- refactor to use config_string_item()

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acled-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-17 13:50:50 -05:00
Stéphane Graber
a92f95cdbf
Mark lxc-user-nic setuid root
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-17 12:30:01 -05:00
Serge Hallyn
df3415e022 add manpages for lxc-user-nic
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-17 11:15:57 -06:00
Serge Hallyn
c073c14723 lxc_user_nic changes
1. catch a case if allowed number of nics is 0 (as opposed to no entry),
which previously would have allowed the user to sneak in one entry.

2. return false, not true, if something went heywire with creating the
/sys/class/net/$nic path to open.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-17 10:34:25 -06:00
KATOH Yasufumi
241c3744ca doc: Update lxc-stop(1) for nolock option
update for commit 8face1de22

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-17 10:19:16 -05:00
Serge Hallyn
a58878d626 lxc_conf_free: free rootfs.pivot and log_file if not null
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-16 21:58:47 -06:00
Serge Hallyn
8face1de22 stop: add nolock option
If the system gets into a bad state, it may become impossible to get
the lxc container locks.  We should still be able to stop containers
in that case.  Add a -L/--nolock option to specify this behavior.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-16 10:49:05 -06:00
S.Çağlar Onur
fa7fced878 make mountcgroups hook to lxc.include aware (v2)
[resending the patch from correct branch]

commit 09ad624693 introduced lxc.include option
to include other config files. This patch uses it in mountcgroups hook otherwise
lxc-start fails with following error message for the nested containers;

root@oOo:/var/lib/lxc/raring# lxc-start -l debug -o l -n raring -d
lxc-start: command get_cgroup failed to receive response

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-16 08:44:32 -06:00
Stéphane Graber
f91d5e4e3f configure.ac: Make our configure more consistent
This commit does the following changes:
 - Disable rpath by default
 - Switch all of our options to --enable-FEATURE in the help
 - Add auto-detection of libcap availability
 - Add auto-detection of python3 availability
 - Always specify the default value in --help
 - Add a configuration overview at the end

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-16 08:14:23 -06:00
Stéphane Graber
e8eab8b6d4
ubuntu: Fix initial container creation
The list of packages must be comma separated, not space separated.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-13 17:56:13 -05:00
Serge Hallyn
af415076b6 coverity: remove logically dead code
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-13 16:15:10 -06:00
hallyn
a611bce104 Merge pull request #101 from ahippo/master
run_buffer(): unblock all signals for spawned scripts.
2013-12-13 13:13:19 -08:00
Serge Hallyn
26b797f3d2 make 'empty network' the default
Currently if no lxc.network.type section is in the container
configuration, the container ends up sharing the host's network.
This is a dangerous default.

Instead, add 'lxc.network.type = none' as a valid type, and make
en empty network the default.

If none as well as another network type are specified, then the
none type will be ignored.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-13 14:16:45 -05:00
Libo Chen
5d127727fb lxc-user-nic: fix the wrong use of realloc
fix the wrong use of realloc

Signed-off-by: Libo Chen <clbchenlibo.chen@huawei.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 22:24:33 -06:00
Serge Hallyn
a3b47c094b coverity: drop gratuitous null check
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 14:02:00 -06:00
Serge Hallyn
915614c78f coverity: don't deref null c
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 13:58:50 -06:00
Serge Hallyn
cbaed76dda coverity: an int is not 1 byte
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 13:56:35 -06:00
Serge Hallyn
fef48dc942 coverity: fix mix of bool and int
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 13:47:24 -06:00
Serge Hallyn
908fde6aad coverity: avoid deref of explicitly NULL variable on error path
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:57:21 -06:00
Serge Hallyn
32571606a1 coverity: fix use before null check
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:51:35 -06:00
Serge Hallyn
ce42ba2c79 coverity: change flow to safely free in all exit paths
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:47:14 -06:00
Serge Hallyn
88dd66fc36 coverity: fix memleak in userns_exec_1
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:30:13 -06:00
Serge Hallyn
c30ac545a3 coverity : fix memleak on error path
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:23:34 -06:00
Serge Hallyn
b8f475c017 don't run lxc-user-nic for empty netns
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:12:06 -06:00
Serge Hallyn
2b142295af typo fix: create $rootfs/dev/pts
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-12 12:07:36 -06:00
Stéphane Graber
3eb967f096 python3: Support unpriv containers
This removes any existing uid check in the python3 binding and tools,
replacing those by .controllable where appropriate.

Extra checks are also added to make lxc-ls work as a user, returning as
much information as can possibly be retrieved.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-11 17:06:41 -05:00
Serge Hallyn
0ecf64b554 initialize stopped at top of lxc_cmd
and don't do it at all the callers

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-12-11 15:15:31 -06:00
Stéphane Graber
814928c87a Fix uninitialized value in lxc_try_cmd
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-11 16:01:35 -05:00
Stéphane Graber
9c073d6b76 lxc-ls: Detect missing setns support
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-11 14:58:12 -05:00
KATOH Yasufumi
0dc2961457 plamo: Update because rc script of plamo was updated
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-11 10:20:40 -05:00
Stéphane Graber
d2305c4cde
ubuntu: Make vim part of base template
This moves vim back to the default list of packages, drops the duplicate
ssh entry which means that unless extra packages are passed through
--packages, container creation won't invoke apt-get anymore.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2013-12-10 18:26:58 -05:00
James Hunt
f0ca27269a Make public API string method parameters const where possible.
Signed-off-by: James Hunt <james.hunt@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-10 10:41:38 -05:00
Qiang Huang
448e272de5 lxc-test-concurrent: initialize saveptr before use
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-10 09:06:50 -05:00
Stéphane Graber
6472dcc2c9
ubuntu: Add comment about the mounting profile
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-09 17:05:26 -05:00
S.Çağlar Onur
d392844188 ubuntu: add comments about running unconfined or nested containers
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-09 15:06:59 -05:00
S.Çağlar Onur
802f869f40 use $LOCALSTATEDIR/lock/subsys/lxc-ubuntu$release as lock filename
Otherwise one cannot create two containers with different releases
(let's say saucy [cached] and raring [not caced]) if both are not
cached on the local filesystem already. The lock blocks cached
one to move forward until not cached one finishes it's downloads.

Fix that by seperating locks using release names

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-09 15:04:46 -05:00
S.Çağlar Onur
826eb79882 use /var/lock/subsys/lxc-centos instead of /var/lock/subsys/lxc as a lock name
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2013-12-09 15:04:42 -05:00