This patch allows to specify an image or a block device.
The image or the block device is mounted on rootfs->mount.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
In the case we use an image for rootfs, if we need to do extra mount
from the host to the rootfs, we have to specify the place where the
image is mounted. This value is configured by the user with the
lxc.rootfs.mount otherwise defaulting to @LXCROOTFSMOUNT@. Let's
export this variable to pkg-config, so the user can use it to build
a correct path to the rootfs.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Don't display an error when the callback returns an error different
from zero. A value greater than zero may means "stop". Let's the caller
to check the error.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Let's initialize rootfs->mount to LXCROOTFSMOUNT. The value
will be overwritten by the configuration in case it is specified.
That will make the code nicer, instead of the ugly rootfs->mount checks.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Split the rootfs setup by mounting the rootfs to the mount
point. This mount point will be used as the facto place where
the rootfs is placed.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The attached patch adds a variable at the top of lxc-debian to change the SUITE.
Currently tested suites are lenny, squeeze, sid.
Also, the patch uses the dhcp3-client package instead of dhcp-client which is
deprecated in lenny and removed in squeeze.
Patch initialy from Mathieu Parent.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Correctly link to libcap to avoid underlinking and unused direct
dependency problems.
Signed-off-by: Ozan Caglayan <ozan@pardus.org.tr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When a container is installed with 32bits binaries while we are
running on a 64bits host, inside the container we are seen as
64bits arch. That leads to some problems for the package updates
because the scripts will download 64bits packages instead of 32bits.
This patch defines a configuration variable to set the architecture
of the container.
lxc.arch = i686 | x86 | x86_64 | amd64
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
src/lxc/console.c:143: warning : return type defaults to ‘int’
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
In case of error the message will be always truncated.
We check the message was truncated with the total size
received which means the kernel as more info to give.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If the physical link is not specified in the configuration
the check in if_nametoindex(netdev->link) leads to a segfault.
Check the link is specified.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Reported-by: Ferenc Wagner <wferi@niif.hu>
When the interface used in the container is a physical
interface from the host, we keep the initial name.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Reported-by: Sabdar <sabdar@wellspringsys.com>
The list is 'lifo', so when we create the network interfaces, we
do this in the reverse order of the expected one. That is confusing.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Some file systems do not support the file posix capabilities.
The following script set the setuid bit root on the different
cli.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
With the capabilities, the open of the log file can be done on any
file, making possible to modifify the content of the file.
Let's drop the privilege when opening the file, so we ensure that is
no longer possible.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Move the reset of the capabilities to the caps.c file and
initialize correctly the capabilities for lxc-init.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch adds the functions to drop the 'effective' capabilities and
restore them from the 'permitted' capabilities.
When the command is run as 'root' we do nothing.
When the command is run as 'lambda' user, we drop the effective capabilities
When the command is run as 'root' but real uid is not root, we keep the capabilies,
switch to real uid, and drop the effective capabilities.
This approach is compatible for root user, lambda + file capabilities
and lambda + setuid.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If lxc-init receives a SIGALRM, a timeout, it kills all the processes
of the container with SIGKILL. That will prevent the container to be
stuck when one process ignore the SIGTERM signal.
Each time a process exits, the timeout is resetted.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When lxc-init receives a SIGTERM, let's kill all the processes of
the pid namespace with kill -1. So the exit of the container will
happen gracefully with processes death cascade.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As pointed out by Dan Smith, when a container is being stopped, it must
also be unfrozen after posting the SIGKILL. Otherwise if the container
is frozen when the SIGKILL is posted, the SIGKILL will remain pending
and the lxc-stop command will block until lxc-unfreeze is explicitly
called).
(lxc-stop waits for the container to exit and close the socket but since
the container is frozen, lxc-stop will block).
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Acked-by: Matt Helsley <matthltc@us.ibm.com>
Acked-by: Dan Smith <danms@us.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
A write to the freezer.state file does not gurantee that the state has
changed. To ensure that the freezer state is either FROZEN or THAWED,
read the freezer state and if it has not changed, repeat the write.
Changelog[v2]:
- Minor reorg of code
- Comments from Daniel Lezcano:
- lseek() before each read/write of freezer.state
- Have lxc_freeze_unfreeze() return -1 on error
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If the pdeath signal is set after the synchro we have a window where
the parent exits with the pdeath signal not set.
In order to avoid that, we have to move the prctl before the synchro with
the parent so if the parent exits before we can set the pdeath signal, the
synchro will fail in any case and the container startup will be aborted.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Hello all!
This bug stalked me for a while, but only now it bit me quite
badly... (Lost about an hour of work...)
So the culprit: inside the fstab file for the `lxc.mount` option I
can use options like `ro` together with `bind`. Unfortunately the
kernel just laughs in my face and ignores any options I've put in
there... :) But not any more: I've updated `./src/lxc/conf.c`
(`mount_file_entries` function) so that when it encounters a `bind`
option it executes it twice (one without any extra options, and a
second time with the remount flag set.)
I've marginally (as in my particular case) tested it and it works.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Fix default console output fall into the current tty.
Otherwise fall to /dev/null if no tty is available.
Fix at the same time, Xorg take 100% cpu.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
We change the initial pointer when parsing the line, the address
we are trying to free is modified in case there are blanks before
an option.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
