it actually sets us up to run the nih_mainloop, but we will never run
that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes it so that the host doesn't need to have an old, compat
version of db43_load installed by using the db_load from the just
installed container. Some newer distributions do not even have an old
enough compat-db4 package available.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
With this change, you can install a container from a mounted .iso, or any
yum repo with the necessary packages. Unlike the --url option, the repo
does not need to be a mirror of public-yum, but the arch and release must
be specified. For example to install OL6.5 from an .iso image:
mount -o loop OracleLinux-R6-U5-Server-x86_64-dvd.iso /mnt
lxc-create -n OL6.5 -t oracle -- --baseurl=file:///mnt -a x86_64 -R 6.5
The template will create two yum .repo files within the container such that
additional packages can be installed from local media, or the container can
be updated from public-yum, whichever is available. Local media must be bind
mounted from the host onto the containers' /mnt for the former .repo to work:
mount --bind /mnt $LXCPATH/OL6.5/rootfs/mnt
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Recent fixes in the apparmor kernel code is now making at least the CI
environment and quite possibly some others fail due to an invalid path
in the pivot_root stanza.
So update both lines to allow a more generic pivot_root call for
anything in LXC's work directory.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In this patch I tried to stick with each file's coding style, however I
think we should probably change that. Every main() should always not
return and only exit; they should always return EXIT_SUCCESS or EXIT_FAILURE
with the only exceptions being cases where we are returning a child's
exit status (lxc_execute, lxc_attach, lxc_init).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
So that exit status doesn't show up as 255.
Reported-by: Andrey Khozov <avkhozov@googlemail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When rebooting an unprivileged container, netpipe starts out
as not -1. If count_veths somehow changed this could lead
to trying to send data over nonexistent pipe. (Ok can't
*really* happen, as it currently stands, but it's an open
end)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's in favor of bash regex
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do not copy the pacman master key from the host, as this opens it to
attacks; generate a new secret hostkey.
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do not cherry-pick packages for the default install to avoid dependency
issues. Instead, install the base group modulo blacklisted packages.
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Place log file into LOGPATH instead of LXCPATH (but still use the
given lxcpath if the latter differs from LXCPATH).
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix parsing of /etc/lxc/default.conf, i. e. ignore comments, and don't
require whitespace left and right of the equal sign.
Make the early return actually work.
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When lxc-info's stdout is not line buffered (ie. "lxc-info -n foo |more")
the first three lines will be duplicated. This is because c->get_ips()
comes next and it forks and the child will exit() causing its fds to be
closed which flushes out its (fork duplicated) stdio buffers. The lines are
then duplicated when the parent actually gets around to flushing out its
stdio. This causes problems for programs (such as the lxc-webpanel) which
are popen()ing lxc-info.
The fix here isn't necessarily the right one, but does show what the
problem is. Seems like maybe we should fix this inside of get_ips(), for
other API callers as well.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Added lxc.arch to the resulting container configuration files
to support i686 on x86_64 cross arch containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,
Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.
Changelog (v2): remove trailing / from block path
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This should help it run better on slow test environment like the LXC CI
armhf builder.
- Wait longer for the container to start
- Wait longer for the container to shutdown
- On failure to shutdown, kill the container
- Always destroy the container if it's around
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.
Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.
With this policy, libvirt in a container is able to start its
default network, which previously it could not.
v2: address feedback from stgraber
put lxc-generate-aa-rules.py into EXTRA_DIST
add lxc-test-apparmor, container-base and container-rules to .gitignore
take lxc-test-apparmor out of EXTRA_DIST
make lxc-generate-aa-rules.py pep8-compliant
don't automatically generate apparmor rules
This is only bc we can't be guaranteed that python3 will be
available.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
oracle-template: Split patching rootfs vs one time setup into separate
shell functions so the template can be run with --patch.
oracle-template: Update to install the yum plugin and itself (as lxc-patch)
into a container. The plugin just runs lxc-patch --patch <path> so it is
fairly generic, but in this case it is running a copy of the template inside
the container.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If a default mode is not set, the container requires an explicit
mode specified in the config file, otherwise creating the
container fails.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Using the multiarch dir causes problems when running lxc-execute
on amd64 with an i386 container. /sbin/lxc-init is a more confusing
name and will show up in 'lxc<tab>'. /sbin/init.lxc should be quite
obvious as an init for lxc.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
this expands c597baa8f9 and 2c6f3fc932.
Also move the block using detect_ramfs_rootfs() from setup_rootfs() to
lxc_setup()
Signed-off-by: Florian Klink <flokli@flokli.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add LXC_NET_NONE to known lxc_network_types, so parsing a config
file with lxc.network.type = none does not result in failure
(e.g. doc/examples/lxc-no-netns.conf). Options have also been
reordered to match the enum in conf.h.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If we start a lxc_wait on a container while it is exiting, it is
possible that we open the command socket, then the command socket
monitor closes all its mainloop sockets and exit, then we send our
credentials. Then we get killed by SIGPIPE.
Handle that case, recognizing that if we get sigpipe then the
container is (now) stopped.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This updates all configs to include the exact same set of 7 bind-mounted
devices:
- console
- full
- null
- random
- tty
- urandom
- zero
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Don't bother access information that the user didn't request.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This resolves the memory math when memsw is enabled and fixes reporting
of nested containers memory when using cgmanager.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Added the environment variable "root_password_expired" to
control if the initial, temporary, root password is initially
set up as "expired". If set to "yes" (default), the root password
is set as "expired" and the user must change it at first login.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Added code to catch SIGPWR for Upstart in Fedora and CentOS
containers as well as for Systemd in Fedora containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
