get_ips accepts an interface name as a parameter but there was no
way to get the interfaces names from the container. This patch
introduces a new get_interfaces call to the API so that users
can obtain the name of the interfaces.
Support for python bindings also introduced as a part of this version.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Adds the arch_to_personality function that looks up an architecture
and returns the corresponding personality. This may be used in
conjunction with the attach/attach_wait keyword argument.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Add methods attach() and attach_wait() to the Python API that give
access to the attach functionality of LXC. Both accept two main
arguments:
1. run: A python function that is executed inside the container
2. payload: (optional) A parameter that will be passed to the python
function
Additionally, the following keyword arguments are supported:
attach_flags: How attach should operate, i.e. whether to attach to
cgroups, whether to drop capabilities, etc. The following
constants are defined as part of the lxc module that may
be OR'd together for this option:
LXC_ATTACH_MOVE_TO_CGROUP
LXC_ATTACH_DROP_CAPABILITIES
LXC_ATTACH_SET_PERSONALITY
LXC_ATTACH_APPARMOR
LXC_ATTACH_REMOUNT_PROC_SYS
LXC_ATTACH_DEFAULT
namespaces: Which namespaces to attach to, as defined as the flags that
may be passed to the clone(2) system call. Note: maybe we
should export these flags too.
personality: The personality of the process, it will be passed to the
personality(2) syscall. Note: maybe we should provide
access to the function that converts arch into
personality.
initial_cwd: The initial working directory after attaching.
uid: The user id after attaching.
gid: The group id after attaching.
env_policy: The environment policy, may be one of:
LXC_ATTACH_KEEP_ENV
LXC_ATTACH_CLEAR_ENV
extra_env_vars: A list (or tuple) of environment variables (in the form
KEY=VALUE) that should be set once attach has
succeeded.
extra_keep_env: A list (or tuple) of names of environment variables
that should be kept regardless of policy.
stdin: A file/socket/... object that should be used as stdin for the
attached process. (If not a standard Python object, it has to
implemented the fileno() method and provide a fd as the result.)
stdout, stderr: See stdin.
attach() returns the PID of the attached process, or -1 on failure.
attach_wait() returns the return code of the attached process after
that has finished executing, or -1 on failure. Note that if the exit
status of the process is 255, -1 will also be returned, since attach
failures result in an exit code of 255.
Two default run functions are also provided in the lxc module:
attach_run_command: Runs the specified command
attach_run_shell: Runs a shell in the container
Examples (assumeing c is a Container object):
c.attach_wait(lxc.attach_run_command, 'id')
c.attach_wait(lxc.attach_run_shell)
def foo():
print("Hello World")
# the following line is important, otherwise the exit code of
# the attached program will be -1
# sys.exit(0) will also work
return 0
c.attach_wait(foo)
c.attach_wait(lxc.attach_run_command, ['cat', '/proc/self/cgroup'])
c.attach_wait(lxc.attach_run_command, ['cat', '/proc/self/cgroup'],
attach_flags=(lxc.LXC_ATTACH_DEFAULT &
~lxc.LXC_ATTACH_MOVE_TO_CGROUP))
Note that while it is possible to execute Python code inside the
container by passing a function (see example), it is unwise to import
modules, since there is no guarantee that the Python installation
inside the container is in any way compatible with that outside of it.
If you want to run Python code directly, please import all modules
before attaching and only use them within the container.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
convert_tuple_to_char_pointer_array now also accepts lists and not only
tuples when converting to a C array. Other fixes:
- some checking that it's actually a list/tuple before trying to
convert
- off-by-a-few-bytes allocation error
(sizeof(char *)*n+1 vs. sizeof(char *)*(n+1)/calloc(...))
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit increases the default timeout used by lxc-start-ephemeral
from 5 to 10, and adds support for an LXC_IP_TIMEOUT override.
Patchset 2:
- Previous patch used a command line arg.
Signed-off-by: John McFarlane <john@rockfloat.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If set, then fds 0,1,2 will be redirected while the creation
template is executed.
Note, as Dwight has pointed out, if fd 0 is redirected, then if
templates ask for input there will be a problem. We could simply
not redirect fd 0, or we could require that templates work without
interaction. I'm assuming here that we want to do the latter, but
I'm open to changing that.
Reported-by: "S.Çağlar Onur" <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
It turns out that most API users want some kind of timeout option for
get_ips, so instead of re-implementing it in every single client
software, let's just have it as a python overlay upstream.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Add a higher level console API that opens a tty/console and runs the
mainloop as well. Rename existing API to console_getfd(). Use these in
the python binding.
Allow attaching a console peer after container bootup, including if the
container was launched with -d. This is made possible by allocation of a
"proxy" pty as the peer when the console is attached to.
Improve handling of SIGWINCH, the pty size will be correctly set at the
beginning of a session and future changes when using the lxc_console() API
will be propagated to it as well.
Refactor some common code between lxc_console.c and console.c. The variable
wait4q (renamed to saw_escape) was static, making the mainloop callback not
safe across threads. This wasn't a problem when the callback was in the
non-threaded lxc-console, but now that it is internal to console.c, we have
to take care of it. This is now contained in a per-tty state structure.
Don't attempt to open /dev/null as the console peer since /dev/null cannot
be added to the mainloop (epoll_ctl() fails with EPERM). This isn't needed
to get the console setup (and the log to work) since the case of not having
a peer at console init time has to be handled to allow for attaching to it
later.
Move signalfd libc wrapper/replacement to utils.h.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This adds a new get_ips call which takes a family (inet, inet6 or NULL),
a network interface (or NULL for all) and a scope (0 for global) and returns
a char** of all the IPs in the container.
This also adds a matching python3 binding (function result is a tuple) and
deprecates the previous pure-python get_ips() implementation.
WARNING: The python get_ips() call is quite different from the previous
implementation. The timeout argument has been removed, the family names are
slightly different (inet/inet6 vs ipv4/ipv6) and an extra scope parameter
has been added.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The previous change used some 3.3-specific functions.
We still support 3.2 so revert to 3.2-compatible calls.
Reported-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This finally fixes a few issues with the magic
convert_tuple_to_char_pointer_array function.
This now clearly copies the char* from the python object so we don't
end up keeping reference to those.
Also add the few required free calls to free the content of the array.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When using -P (lxcpath), the parameter path needs to be forwarded
to the various commands being run but not used by the nested lxc-ls
as it's relatively unlikely that both the host and the nested containers
use a custom path.
This isn't ideal but short of having a way to provide the container path
for every single of the nesting (with potential unlimited depth), it's
the best we can do.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This fixes a few issues uncovered by the recent C module fix.
In lxc-start-ephemeral, the hwaddr code wasn't actually working.
Replace by code that properly iterates through the network interfaces
and sets a new MAC address for each entry.
In the python overlay, catch the newly emitted KeyError when in
set_config_item (or setting any previously unset variable would fail).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fixes a lot of issues found by a code review done by Barry Warsaw.
Those include:
- Wrong signature for getters
- Various memory leaks
- Various optimizations
- More consistent return values
- Proper exception handling
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reported-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is mostly to make debuild happy as it doesn't tolerate any
leftover file when building twice in a row.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
I recently noticed that the generated tarballs with "make dist"
were incomplete unless the configure script was run on a machine
with all possible build dependencies.
That's wrong as you clearly don't need those dependencies to generate
the tarball. This change fixes that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Recent testing on Ubuntu armhf showed that the python module was
failing to import. After some time tracking the issue down, the problem
was identified as being a non-terminated list of get/setters.
This commit fixes that issue as well as a few other potential ones that
were identified during debugging.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The python api test script was using @LXCPATH@ for one of its checks.
Now that the lxcpath is exposed by the lxc python module directly, this
can be dropped and api_test.py can now become a simple python file without
needing pre-processing by autoconf.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add initial support for showing and querying nested containers.
This is done through a new --nesting argument to lxc-ls and uses
lxc-attach to go look for sub-containers.
Known limitations include the dependency on setns support for the PID
and NETWORK namespaces and the assumption that LXCPATH for the sub-containers
matches that of the host.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds -P/--lxcpath to the various python scripts.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add the two new calls to the API and add the new container_path
parameter to the constructor (optional).
This also extends list_containers to support the config_path parameter.
At this point none of the actual tools are changed to make use of those
as we'll probably want to make sure all the tools get the extra option
at once.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Tested-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
1. When calling c->set_config_path(), update configfile. I.e. if we
are setting the config_path to /var/lib/lxc, then the configfile should
be changed to /var/lib/lxc/$container/config
2. Add an optional configpath argument to lxc_container_new. If NULL,
then the default will be used (as before). If set, then the passed-in
path will be used. This way you can do
c1 = lxc.Container("r1", "/var/lib/lxc");
c2 = lxc.Container("r2", "/home/user/lxcbase");
(Note I did *not* implement the python or lua binding to pass that
argument along)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Update add_device_node to use the new set_cgroup_item call instead
of having to figure out the cgroup paths and update the entries manually.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Updates the binding for the two new functions.
This also fixes some problems with the argument checking of
get_config_item that'd otherwise lead to a segfault.
The python binding for set_cgroup_item and get_cgroup_item are pretty
raw as lxc has little control over the cgroup entries.
That means that we don't try to interpret lists as we do for the config
entries.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The python binding was forcing the user to pass a base path to
get_keys() even though the C binding doesn't require it.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Switch the python scripts to using @LXCPATH@.
According to grep, this was the last occurence of a /var/*/lxc
path in the code.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit does the following changes to the python API:
- Rename the add_device API call to add_device_node
- Adds an extra check that the container is running to add_device_node
- Introduces a new add_device_net function
And the following changes to the lxc-device tool:
- Change parser setup to better cope with variable number of arguments
- Add support for network devices (currently auto-detected)
- Support for different names on the host and in the container
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Use our own len() function for network interfaces as doing
len(container.get_config_item("lxc.network")) will fail when the
list is empty.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The new version of the pep8 command is detecting more indentation
mistakes than it used to, this fixes them.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This introduces a new add_devices() call to the python API.
Parameters:
- path => Mandatory, path to a character or block device on the host
- destpath => Optional, alternative path inside the container
The function will allow the node in the container's devices cgroup and
then create the entry in the container.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The script used to contain a workaround for back when create()
wouldn't properly flush the config and reload it.
As these issues have now been fixed, these workarounds can be removed.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
When overriding wait(), I forgot to actually return the value coming
from the C binding...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
At Serge's suggestion, always convert the state passed to the wait()
function in the python API to its uppercase equivalent.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This code was addeed to deal with stopped/dead containers but
really shouldn't be implemented there. Instead the setsid() call in
start() should be enough to prevent python from getting the SIGCHLD and
having to deal with it.
The liblxc API currently doesn't work as non-root, so check that the euid
is 0 when getting a Container instance in the python API.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Replaced python-lxc/test.py by a new api_test.py script that
uses all the available function of the API to run a batch of
basic tests.
This example is useful both as a test of the API and as a guide on
how to use the python API to manage containers.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This adds a basic python binding done in C and a python overlay to
extend some features and provide a user-friendlier API.
This python API only supports python 3.x and was tested with >= 3.2.
It's disabled by default in configure and can be turned on by using
--enable-python.
A basic example of the API can be found in src/python-lxc/test.py.
More documentation and examples will be added soon.
