Introduce a new HTTP_PROXY variable in /etc/default/lxc. If unset or
set to none, then behavior continues as before. If set to 'apt', then
any http::proxy set in apt.conf will be used as http_proxy for
debootstrap, and specified in the container's
/etc/apt/apt.conf.d/70proxy. If set to something else, then the
value of HTTP_PROXY will be used as http_proxy for debootstrap and
specified in the container's 70proxy.
Changelog: (apr 23) merge the two apt proxy detection functions.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When using -P (lxcpath), the parameter path needs to be forwarded
to the various commands being run but not used by the nested lxc-ls
as it's relatively unlikely that both the host and the nested containers
use a custom path.
This isn't ideal but short of having a way to provide the container path
for every single of the nesting (with potential unlimited depth), it's
the best we can do.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- Drop disabled entries from allowed devices list
- Improve generated config layout a bit
- Drop redundant uname call
- Re-generate the SSH host keys on container creation
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a few issues uncovered by the recent C module fix.
In lxc-start-ephemeral, the hwaddr code wasn't actually working.
Replace by code that properly iterates through the network interfaces
and sets a new MAC address for each entry.
In the python overlay, catch the newly emitted KeyError when in
set_config_item (or setting any previously unset variable would fail).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fixes a lot of issues found by a code review done by Barry Warsaw.
Those include:
- Wrong signature for getters
- Various memory leaks
- Various optimizations
- More consistent return values
- Proper exception handling
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reported-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Reimplement mkdir_p() such that it:
...handles relativ paths correctly. (currently it crashes)
...does not rely on dirname().
...is not recursive.
...is shorter. ;-)
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This reverts commit 5a5c35c3a0.
This commit was preventing startup of containers using lxc hooks and
shutdown of all other containers, requiring the use of a good old
kill -9 to get rid of lxc-start after a container shutdown.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 8de4140644.
This commit was preventing container startup on my machine, making them
all fail with various "No such file or directory" errors.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reimplement mkdir_p() such that it:
...handles relativ paths correctly. (currently it crashes)
...does not rely on dirname().
...is not recursive.
...is shorter. ;-)
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
If the process in the new namespace dies very early
we have currently no chance to detect this.
The parent process will just die due to SIGPIPE
if it write to the fd used for synchronisation and
nobody will notice the real cause of the problem.
Install a SIGCHLD handler to detect the death.
Later when the child does execve() to the init within
the new namespace the handler will be disabled automatically.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
There is no need to use nested functions voodoo.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The recent change to use strtok_r causes a build warning with this older
gcc version, so initialize saveptr to NULL to quiet the compiler and
unbreak the build. There was no warning with gcc 4.7.2 that I
originally tested with.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
As Richard reported, dirname('//') returns //. But mkdir_p only stops
when called with '/', resulting in infinite recursion when given a
pathname '//foo/bar'.
Reported-by: richard -rw- weinberger <richard.weinberger@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch supports the scenario where a user wants to install a
busybox container on a busybox host.
When running the template, in order to change the root password,
the template needs to do the chroot. On busybox-powered hosts, chroot
is not part of the coreutils package - it's part of busybox. And the
busybox implementation or chroot only works if it has /lib in the new
root populated with the right binaries (or at least that's the
solution I found to make it work).
The temporarily bind-mounts /lib in the NEWROOT, chroots there,
changes the password, goes back and unmounts. This set of operations
is contained in a new MOUNT namespace, using the lxc-unshare call.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
pclose returns the exit status from wait, we need to check that to see if
the script itself failed or not. Tested a script that returned 0, 1, and
also one that did a sleep and then was killed by a signal.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Also check that we wrote the amount we expected to. The write on the pty
is blocking but we could still get a short write on EINTR, so we should
SYSERROR it.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This makes it match the manpage and be consistent with lxc-execute
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Unfortunately installing a working lxc-init is somewhat hairy and
distro-dependent. So we skipped it before, but Coverity didn't
like that, so just ifdef it out.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. in container_free, set c->privlock to NULL before calling
sem_destroy, to prevent a window where another thread could call
sem_wait(c->privlock) while c->privlock is not NULL but is already
destroyed.
2. in container_get, check for numthreads < 0 before calling lxclock.
Once numthreads is 0, it never goes back up.
Following is a comment added to lxccontainer.c:
/*
* Consider the following case:
freer | racing get()er
==================================================================
lxc_container_put() | lxc_container_get()
\ lxclock(c->privlock) | c->numthreads < 1? (no)
\ c->numthreads = 0 | \ lxclock(c->privlock) -> waits
\ lxcunlock() | \
\ lxc_container_free() | \ lxclock() returns
| \ c->numthreads < 1 -> return 0
\ \ (free stuff) |
\ \ sem_destroy(privlock) |
* When the get()er checks numthreads the first time, one of the following
* is true:
* 1. freer has set numthreads = 0. get() returns 0
* 2. freer is between lxclock and setting numthreads to 0. get()er will
* sem_wait on privlock, get lxclock after freer() drops it, then see
* numthreads is 0 and exit without touching lxclock again..
* 3. freer has not yet locked privlock. If get()er runs first, then put()er
* will see --numthreads = 1 and not call lxc_container_free().
*/
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The ubuntu template will silently fail (because it is set -e) on
the locale-gen command when LANG=C
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix lxc-create to not word split template arguments. This makes
lxc-create -n ol -t oracle -- -r "at cronie wget" work since the argument
to -r will be passed as one arg instead of three.
Fix oracle template -u option to shift the correct amount.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Corrected ssh option for custom key (from -k to -i). Just see ssh
manpage for justification.
Signed-off-by: Wojciech Izykowski <wizykowski@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Commit 37c3dfc9 sets the wait status on only the child pid. It
intended to match the pid only once to protect against pid reuse but it
won't because the indicator was reset to 0 every time at the top of the
loop. If the child pid is reused, the wait status will be set again.
Fix by setting indicator outside the loop.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
