This is a complete reimplementation of lxc-clone and lxc-start-ephemeral.
lxc-copy merges the functionalities of lxc-clone + lxc-start-ephemeral.
(1) Cloning containers:
(a) as copy:
lxc-copy -n aa -N bb
(b) as snapshot:
lxc-copy -n aa -N bb -s
(2) Renaming containers:
lxc-copy -n aa -N bb -R
(3) Starting ephemeral containers:
Ephemeral containers are created and started by passing the flag -e /
--ephemeral. Whenever this flag is missing a copy of the container is created.
The flag -e / --ephemeral implies -s / --snapshot.
(a) start ephemeral container daemonized with random name:
lxc-copy -n aa -e
(b) start ephemeral container in foreground mode with random name:
lxc-copy -n aa -e -F
(c) start ephemeral container with specified name in daemonized mode:
Analogous to lxc-start ephemeral containers start in daemonized
mode per default:
lxc-copy -n aa -N bb -e
One can however also explicitly pass -d / --daemon:
lxc-copy -n aa -N bb -e -d
but both commands are equivalent.
(d) start non-ephemeral container in daemonized mode:
lxc-copy -n aa -D -e
(e) start ephemeral container in daemonized mode and keep the original
hostname:
lxc-copy -n aa -K -e
(f) start ephemeral container in daemonized mode and keep the
MAC-address of the original container:
lxc-copy -n aa -M -e
(g) start ephemeral container with custom mounts (additional mounts can
be of type {bind,aufs,overlay}) in daemonized mode:
lxc-copy -n aa -e -m bind=/src:/dest:ro,aufs=/src:/dest,overlay=/src:/dest
(4) Other options:
lxc-copy --help
In order to create a random containername and random upper- and workdirs for
custom mounts we use mkdtemp() to not just create the names but also directly
create the corresponding directories. This will be safer and make the code
considerably shorter.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead, let's just allocate new space for the proctitle to live and point
the kernel at that.
v2: take out testing hunk
v3: check return from realloc
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- Update list of supported releases
- Make the fallback release trusty
- Don't specify the compression algorithm (use auto-detection) so that
people passing tarballs to the template don't see regressions.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This isn't in any way fatal, so let's only warn about it with INFO, not
ERROR.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead of relying on the old ptrace loop, we should instead put all the
tasks in the container into the freezer. This will stop them all at the
same time, preventing fork bombs from causing criu to infinite loop (and is
also simply a lot faster).
Note that this uses --freeze-cgroup which isn't in criu 1.7, so it should
only go into master.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
PR_SET_MM_MAP only went in to the kernel at 3.18 (or 3.19), so we need to
define these for kernels before then. If there was an error, the code
simply logs the failure and continues on.
Also, we can drop the PR_SET_MM_otherstuff contstants since those were
dropped in 93525c00c7.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
veths can be unconnected in the container's config, and we should handle
this case.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
PR_SET_MM_MAP can be called as non-root, which we are in the unprivileged
(or nested) case.
Also, let's not do the strcpy() for the new cmdline until after we're sure
the prctl succeeded. This means that even if it does fail, we won't
mutilate the command line like we did before, it just won't be as pretty.
v2: remember to chop off bits of the string that are too long
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Changes v3:
(1) Fix typo (q --> p).
(1) This commit fixes the calculations when updating paths in lxc.hooks.*
entries. We now also update conf->unexpandend_alloced which hasn't been
done prior to this commit.
(2) Also we use the stricter check:
if (p >= lend)
continue;
This should deal better with invalid config files.
(3) Insert some spaces between operators to increase readability.
(4) Use gotos to simplify function and increase readability.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When using overlay and aufs mounts with lxc.mount.entry users have to specify
absolute paths for upperdir and workdir which will then get created
automatically by mount_entry_create_overlay_dirs() and
mount_entry_create_aufs_dirs() in conf.c. When we clone a container with
overlay or aufs lxc.mount.entry entries we need to update these absolute paths.
In order to do this we add the function update_ovl_paths() in
lxccontainer.c. The function updates the mounts in two locations:
1) lxc_conf->mount_list
and
2) lxc_conf->unexpanded_config (by calling clone_update_unexp_ovl_dir())
If we were to only update 2) we would end up with wrong upperdir and workdir
mounts as the absolute paths would still point to the container that serves as
the base for the clone. If we were to only update 1) we would end up with wrong
upperdir and workdir lxc.mount.entry entries in the clone's config as the
absolute paths in upperdir and workdir would still point to the container that
serves as the base for the clone. Updating both will get the job done.
NOTE: This function does not sanitize paths apart from removing trailing
slashes. (So when a user specifies //home//someone/// it will be cleaned to
//home//someone. This is the minimal path cleansing which is also done by
lxc_container_new().) But the mount_entry_create_overlay_dirs() and
mount_entry_create_aufs_dirs() functions both try to be extremely strict about
when to create upperdirs and workdirs. They will only accept sanitized paths,
i.e. they require /home/someone. I think this is a (safety) virtue and we
should consider sanitizing paths in general. In short: update_ovl_paths() does
update all absolute paths to the new container but
mount_entry_create_overlay_dirs() and mount_entry_create_aufs_dirs() will still
refuse to create upperdir and workdir when the updated path is unclean. This
happens easily when e.g. a user calls lxc-clone -o OLD -n NEW -P
//home//chb///.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This functions updates absolute paths for overlay upper- and workdirs so users
can simply clone and start new containers without worrying about absolute paths
in lxc.mount.entry overlay entries.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The systemd-sysctl service includes condition that /proc/sys/ has to be read-write.
In lxc only /proc/sys/net/ is read-write which causes the condition to fail and service not to run.
This patch changes the check to /proc/sys/net/ and makes the service apply only rules that are in net tree.
Signed-off-by: Jakub Sztandera <kubuxu@gmail.com>
Instead of duplicating the cleanup-code, once for success and once for failure,
simply keep a variable fret which is -1 in the beginning and gets set to 0 on
success or stays -1 on failure.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The mount_entry_overlay_dirs() and mount_entry_aufs_dirs() functions create
workdirs and upperdirs for overlay and aufs lxc.mount.entry entries. They try
to make sure that the workdirs and upperdirs can only be created under the
containerdir (e.g. /path/to/the/container/CONTAINERNAME). In order to do this
the right hand side of
if ((strncmp(upperdir, lxcpath, dirlen) == 0) && (strncmp(upperdir, rootfs->path, rootfslen) != 0))
was thought to check if the rootfs->path is not present in the workdir and
upperdir mount options. But the current check is bogus since it will be
trivially true whenever the container is a block-dev or overlay or aufs backed
since the rootfs->path will then have a form like e.g.
overlayfs:/some/path:/some/other/path
This patch adds the function ovl_get_rootfs_dir() which parses rootfs->path by
searching backwards for the first occurrence of the delimiter pair ":/". We do
not simply search for ":" since it might be used in path names. If ":/" is not
found we assume the container is directory backed and simply return
strdup(rootfs->path).
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Otherwise it may start too early and end up taking 10.0.3.1 even
though eth0 was eventually going to end up on 10.0.3.x.
https://bugs.launchpad.net/juju-core/+bug/1510619
Reported-by: Ryan Harper <ryan.harper@ubuntu.com>
Cc: Martin Pitt <martin.pitt@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
lxc-usernsexec was using fd 0 and reopening it as 0,1,2 for
the new task. If doing "lxc-usernsexec .. < script" this
will corrupt the file 'script'.
Reported-by: Fiedler Roman <Roman.Fiedler@ait.ac.at>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The lxc monitor does not store the container's cgroups, rather it
recalculates them whenever needed.
Systemd moves itself into a /init.scope cgroup for the systemd
controller.
It might be worth changing that (by storing all cgroup info in the
lxc_handler), but for now go the hacky route and chop off any
trailing /init.scope.
I definately thinkg we want to switch to storing as that will be
more bullet-proof, but for now we need a quick backportable fix
for systemd 226 guests.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The mount_entry_create_*_dirs() functions currently assume that the rootfs of
the container is actually named "rootfs". This has the consequence that
del = strstr(lxcpath, "/rootfs");
if (!del) {
free(lxcpath);
lxc_free_array((void **)opts, free);
return -1;
}
*del = '\0';
will return NULL when the rootfs of a container is not actually named "rootfs".
This means the we return -1 and do not create the necessary upperdir/workdir
directories required for the overlay/aufs mount to work. Hence, let's not make
that assumption. We now pass lxc_path and lxc_name to
mount_entry_create_*_dirs() and create the path directly. To prevent failure we
also have mount_entry_create_*_dirs() check that lxc_name and lxc_path are not
empty when they are passed in.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It causes trouble when importing from different paths and will always be
included ahead of time anyway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
When users wanted to mount overlay directories with lxc.mount.entry they had to
create upperdirs and workdirs beforehand in order to mount them. To create it
for them we add the functions mount_entry_create_overlay_dirs() and
mount_entry_create_aufs_dirs() which do this for them. User can now simply
specify e.g.:
lxc.mount.entry = /lower merged overlay lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
and /upper and /workdir will be created for them. /upper and /workdir need to
be absolute paths to directories which are created under the containerdir (e.g.
under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the
containerdir, and mountpoints within the container's rootfs are ignored. (The
latter *might* change in the future should it be considered safe/useful.)
Specifying
lxc.mount.entry = /lower merged overlay lowerdir=/lower:/lower2,create=dir
will lead to a read-only overlay mount in accordance with the
kernel-documentation.
Specifying
lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
will fail when no upperdir and workdir options are given.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>