Install lua files under the confiugred --prefix rather than use the
pkg-config's variables LUA_INSTALL_[CL]MOD.
Users will likely want user --prefix while packagers will use DESTDIR.
Set the default to $datadir/lua/$LUA_VERSION for arch independent
lua modules and $libdir/lua/$LUA_VERSION for arch dependant .so module.
This should work for most distros. If it does not, then packagers
can still do:
make install lualibdir=$(pkg-config lua --variable=INSTALL_CMOD) ...
This fixes#169
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If clone is called from the api, the container object in memory
retains the bad fs. The line is wrong, being a leftover from a
previous attempt before copy_storage was moved earlier.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
also remove /usr special case for non-debian distros since systemd
itself sets systemunitdir=$(rootprefix)/lib/systemd/system
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When adding the missing return value in Caglar's change (as discussed on
the mailing-list), I set err = -1 instead or ret = -1, causing an
obvious build failure...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Only do the funky chroot_into_slave if / is in fact the rootfs.
Rootfs is a special blacklisted case for pivot_root.
If / is not rootfs but is shared, just mount / rslave. We're
already in our own namespace.
This appears to solve the extra /proc/$$/mount entries in
containers and the host directories in lxc-attach which have
been plagueing at least fedora and arch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Otherwise an interrupted clone can lead to the original rootfs
being delete.
There is a period during lxcapi_clone during which we have written down
a temporary configuration file on disk, for the new container, using the
old rootfs. Interruption of clone doesn't allow us to do the cleanup we
do in error paths, so a subsequent lxc-destroy removes the old rootfs.
Fix this by doing the copy_storage as early as possible, and not
writing down the rootfs when we write down the temporary configuration
file.
(note - I tested this by putting a series of
'if (strcmp(newname, "u%d") == 0) exit(1)' inline to trigger
interruption between most blocks. If someone has a good idea
for a generic way to regression-test this henceforth that'd be
great)
See https://bugs.launchpad.net/lxc/+bug/1285850
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fixes#131
changes since v1;
* uses btrfs snapshot feature only if src and dest are on same fs
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
There are only a few times when we need to be connected to the
cgroup manager:
* when starting a container, from cgm_init until we've set cgroup limits
* when changing a cgroup setting (while running)
* when cleaning up (when shutting down)
* around the cgroup entering at attach
So only connect/disconnect the cgmanager socket on-demand as
needed. This should have a few benefits.
1. Reduce the # open fds when many containers are running
2. if cgmanager is stopped and restarted, the container
doesn't have to deal with the disconnection.
This is currently RFC. There are a few issues outstanding:
1. the cgm_set and cgm_get may need to be made thread-safe.
2. a non-daemonized start which fails while cgm is connected,
will not disconnected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This change makes it possible to create unprivileged containers as root.
They will be stored in the usual system wide location, use the usual
system wide cache but will be running using a uid/gid map.
This also updates lxc_usernsexec to use the same function as the rest of
LXC, centralizing all the userns switch in a single function.
That function now detects the presence of newuidmap and newgidmap on the
system, if they are present, they will be used for containers created as
either user or root. If they're not and the user isn't root, an error is
shown. If they're not and the user is root, LXC will directly set the
uid_map and gid_map values.
All that should allow for a consistent experience as well as supporting
distributions that don't yet ship newuidmap/newgidmap.
To make things simpler in the future, an helper function "on_path" is
also introduced and used to detect the presence of newuidmap and
newgidmap.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In the case where /var/lib/lxc itself was not accessible,
print_top_failing_dir would fail to print the error message.
This fixes it and also change the initial access check for X_OK instead
of R_OK (to match what we actually need and print_top_failing_dir's own
check).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The previous change fixed parsing of multiple uid/gid ranges by using a
while loop, however a failure in that loop will cause the script to exit
(due to -e), so we need to ignore the return value of the commands
inside that loop.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The container with "lxc.network.type=phys" halted with error on reboot.
Error message:
*** glibc detected *** lxc-start: realloc(): invalid pointer: 0x0948eed0 ***
We have a sequence:
1) conf->saved_nic = relloc(NULL) on start start.c:container save_phys_nics()
2) free(conf->saved_nics) after stop container
conf.c:lxc_rename_phys_nics_on_shutdown()
3) conf->saved_nic = relloc(conf->saved_nics) on restart container
start.c:save_phys_nics() -> error relloc()
free(conf->saved_nics) in lxc_rename_phys_nics_on_shutdown()
unnecessary, it will be called later in lxc_clear_saved_nics().
Signed-off-by: Vitaly Lavrov <vel21ripn@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When booting an OL7 container on OL6, systemd in the OL7 container mounted
some extra cgroup controllers, which are then present in /proc/self/cgroups
of every task on the host. This is the list used by attach to determine
which cgroups to move the attached task into, but when it asks the container
over the command interface for the path to the subsystem this will fail
since the controller didn't exist when the container was first started.
Instead of failing, this change allows the attach to continue, warning that
those cgroups that could not be found won't be attached to.
The problem can be more simply reproduced by starting a busybox container,
mounting a cgroup that was not previously mounted, and then attempting
to attach to to the busybox container.
The problem will likely not manifest with cgmanager since it only requests
the path for the first controller, which is likely to always be mounted.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds yet another case in the in_userns function detecting the case
where an unprivileged container is created by the real uid 0, in which
case we want to share the system wide cache but still use the
unprivileged templates and unpack method.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Without this change, a request to *.LXC_DOMAIN that doesn't get a local
result from dnsmasq will be forwarded to its upstream server with the
potential of a loop.
Thanks to Ed for the patch on Launchpad (LP: #1246094).
Reported-by: Ed Swierk
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
With this change it's now possible to add wlan devices to the container.
This will track down the right phy device, move it to the right
namespace (we don't care about its name), then if the user asked for a
new device name for the actual interface, we attach to the container and
rename the interface in there using attach.
I have tested this to work with both Intel and Atheros NICs.
This patch is based on the one provided to lxc-devel by Gregor Beck and
has then been updated to do the device renaming as well as minor code
style changes. Thanks!
Reported-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
(this expands on Dwight's recent patch, commit c597baa8f9)
After unshare(CLONE_NEWNS) and before doing any mounting, always
check whether rootfs is shared. Otherwise template runs or clone
scripts can bleed mount activity to the host.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Note that if a task other than init violates the seccomp policy,
we cannot catch that. Init will catch it and (if it feels like
it) log it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The tmpfs was mounted with its default mode (1777) which was then picked
up by overlayfs/aufs as the target's mode.
This led to a world writable / in ephemeral containers.
I have confirmed that this issue doesn't impact lxc-clone.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It used to be supported with the lxc-create.in script, and
the manpage says it's supported... So let's just support it.
Now
sudo lxc-create -t download --dir /opt/ab -n ab
works, creating the container rootfs under /opt/ab. This
generally isn't something I'd recommend, however telling users
to use a different lxc-path isn't as friendly as I'd like,
because each lxcpath requires separate lxc-ls and lxc-autostart
runs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
always change profile immediately. Otherwise there are weird
corner cases where the profile change may not happen.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Modules should not link to the Lua core library.
See http://lua-users.org/wiki/BuildingModules under
"Do Not Link Modules to the Lua Core Libraries"
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Systems based on systemd mount the root shared by default. We don't want
mounts done during creation by templates nor those done internally by
bdev during rsync based clones to propagate to the root mntns.
The create case already had the right check, but the mount call was
missing "/", so it was failing.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We have added 3 new build servers for Alpine Linux musl libc x86, x86_64
and arm. Add the sha256sum for those keys.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix the issues reported by checkbashisms and change back to #!/bin/sh
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Since we're no longer always returning a getenv result or some defined
string, the callers should cleanup the variable after use.
As a result, change from const char* to char*, add the needed free()
everywhere and use strdup() on strings coming from getenv.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
That's to make sure that if the bridge has a higher than 1500
mtu, the new veth (defaulting to 1500) doesn't lower it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes get_rundir actually do what I meant it to do... for some
reason I missed that one in testing...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
If get_rundir can't find XDG_RUNTIME_DIR in the environment, it'll
attempt to build a path using ~/.cache/lxc/run/. Should that fail
because of missing $HOME in the environment, it'll then return NULL an
all callers will fail in that case.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
