This should finally silence this test for good :)
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When cgmanager is around, use dbus-send to setup the cgroups, this
allows the tests to work in a container without cgroupfs access.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
You can have both cgmanager and cgfs compiled in, and lxc will fall back
at runtime to cgfs if it cannot connect to cgmanager, so print the failure
to connect as a DEBUG like the code used to do.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
There are two parts to this fix.
First, create a private DBusConnection manually, instead of using
nih_dbus_connect. The latter always creates a shared connection,
which cannot be closed. Note: creating an actual shared connection,
mutexing it among all threads, and creating per-thread proxies would
be an alternative - however we don't want long-lived connections as
they tend not to be reliable (especially if cgmanager restarts).
Second, use pthread_setspecific to create per-thread keys which can
be associated with destructors. Specify a destructor which closes
the dbus connection. If a thread dies while holding cgmanager,
the connection will be closed. Otherwise, we close the connection
and unset the key.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Depending on where during container creation we failed, cgroup_path
may be NULL. Don't try to delete the cgroup in that case.
(Also fix a wrong function name in an ERROR message)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Opening a debug log for every thread at every iteration of test-concurrent
causes it to quickly run out of fd's because this fd is leaked. Fix this
by adding a new api: lxc_log_close().
As Caglar noted, the log handling is in general a bit "interesting" because
a logfile can be opened through the per-container api
c->set_config_item("lxc.logfile") but lxc_log_fd is now per-thread data. It
just so happens in test-concurrent that there is a 1:1 mapping of threads
to logfiles.
Split out getting debug logs from quiet since I think they are useful
separately. If debug is specified, get a log of any mode, not just during
start.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
It's often been reported that the behavior of lxc-create without -t is a
bit confusing. This change makes lxc-create require the --template
option and introduces a new "none" special value which when set will
fallback to the old template-less behavior.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead of maintaining hardcoded lists, point everyone to --help and
have the current list of valid and default fields printed there.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When passed, this flag will cause lxc-autostart to ignore the value of
lxc.start.auto.
This then allows things like: lxc-autostart -s -a -A
Which will select all containers regardless of groups (-a), regardless
of whether they are actually marked as auto-started (-A) and will shut
them down (-s).
Update our init scripts to use the new feature.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This prevents things like bridges from being destroyed by the kernel.
My hope is that just doing this will be enough to also ensure that
the device will be available to be renamed immediately, so that
we don't need to do a retry loop.
Tested with a dummy device. renaming dummy0 to dummy5 in container,
then shutting down container, returns dummy0 to the host.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This doesn't solve the general design problem of the log.c (eg; some log lines
got lost or scattered into multiple files) but at least prevent multithreaded
code from crashing.
Before this change something like following;
sudo src/tests/lxc-test-concurrent -i 10 -j 20
was crashing nearly all the time due to 3afbcc4600 as we started to
set lxc.loglevel and lxc.logfile with that commit.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Thanks to S.Çağlar for figuring out that we needed this!
Also fix a memory leak found by coverity.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init
in the container were those from /dev/tty or lxc.console (if given), which
wasn't right. Inside the container it should only have access to the pty
that lxc creates representing the console.
This was noticed because busybox's init was resetting the termio on its
stdin which was effecting the actual users terminal instead of the pty.
This meant it was setting icanon so were were not passing keystrokes
immediately to the pty, and hence command line history/editing wasn't
working.
Fix by dup'ing the console pty to stdin,stdout,stderr just before
exec()ing /sbin/init. Fix fd leak in error handling that I noticed while
going through this code.
Also tested with lxc.console = none, lxc.console = /dev/tty7 and no
lxc.console specified.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
And add a testcase to catch regressions.
Without this patch, restoring a snapshot of an overlayfs based
container fails, because we do not pass in LXC_CLONE_SNAPSHOT,
and overlayfs does not support clone without snapshot.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Drop the thread mutex. Set a (TLS) boolean at container start to
indicate that the connection should be kept open; set it back to false
only when container start is complete. Every cgm_ method opens the
connection if not already open, and closes it if cgm_keep_connection
is false.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
1. remove the cgm_dbus_disconnected handler. We're using a proxy
anyway, and not keeping it around.
2. comment most of the cgm functions to describe when they are called, to
ease locking review
3. the cgmanager mutex is now held for the duration of a connection, from
cgm_dbus_connect to cgm_dbus_disconnect.
3b. so remove the mutex lock/unlock from functions which are called during
container startup with the cgmanager connection already up
4. remove the cgroup_restart(). It's no longer needed since we don't
daemonize while we have the cgmanager socket open.
5. report errors and return early if cgm_dbus_connect() fails
6. don't keep the cgm connection open after cgm_ops_init. I'm a bit torn
on this one as it means that things like lxc-start will always connect
twice. But if we do this there is no good answer, given threaded API
users, on when to drop that initial connection.
7. cgm_unfreeze and nrtasks: grab the dbus connection, as we'll never
have it at that point. (technically i doubt anyone will use
cgmanager and utmp helper on the same host :)
8. lxc_spawn: make sure we only disconnect cgroups if they were already
connected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This reworks the way lxc-ls works in nesting mode. In the past it'd use
attach_wait's subprocess function to call itself in the container's
namespace, carefully only attaching to the namespaces it needed.
This works great for system containers but not so much as soon as you
also need to attach to userns. Instead this fix moves all of the
container listing code into a get_containers function (hence the massive
diff, sorry), this function is then called recursively.
For running containers, the function is called through attach_wait
inside the container's namespace, for stopped container, the function is
simply called recursively with a base path (container's rootfs) in an
attempt to find containers that way.
Communication between the parent lxc-ls and the child lxc-ls is done
through a temporary fd and serialized state using json (similar to what
was done using stdout in the previous implementation).
As get_global_config_item unfortunately caches the values, there's no
easy way to figure out what the lxcpath should be for a root container
when running as non-root, so just use @LXCPATH@ for now and have
python do the parsing itself.
As a result, the following things now work as expected:
- listing nested unprivileged containers (root containers inside unpriv)
- listing nested containers when they're not running
- filtering containers in nesting mode (only the first level is filtered)
- copy with invalid config (used to traceback)
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
get_global_config_item was added in _lxc but not mapped into lxc itself,
this resolves this oversight.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
If the user maps container root to his host uid, chown_mapped_rootid
tries to make the same mapping twice and gets -EINVAL.
Reported-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Install lua files under the confiugred --prefix rather than use the
pkg-config's variables LUA_INSTALL_[CL]MOD.
Users will likely want user --prefix while packagers will use DESTDIR.
Set the default to $datadir/lua/$LUA_VERSION for arch independent
lua modules and $libdir/lua/$LUA_VERSION for arch dependant .so module.
This should work for most distros. If it does not, then packagers
can still do:
make install lualibdir=$(pkg-config lua --variable=INSTALL_CMOD) ...
This fixes#169
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If clone is called from the api, the container object in memory
retains the bad fs. The line is wrong, being a leftover from a
previous attempt before copy_storage was moved earlier.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
also remove /usr special case for non-debian distros since systemd
itself sets systemunitdir=$(rootprefix)/lib/systemd/system
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When adding the missing return value in Caglar's change (as discussed on
the mailing-list), I set err = -1 instead or ret = -1, causing an
obvious build failure...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Only do the funky chroot_into_slave if / is in fact the rootfs.
Rootfs is a special blacklisted case for pivot_root.
If / is not rootfs but is shared, just mount / rslave. We're
already in our own namespace.
This appears to solve the extra /proc/$$/mount entries in
containers and the host directories in lxc-attach which have
been plagueing at least fedora and arch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Otherwise an interrupted clone can lead to the original rootfs
being delete.
There is a period during lxcapi_clone during which we have written down
a temporary configuration file on disk, for the new container, using the
old rootfs. Interruption of clone doesn't allow us to do the cleanup we
do in error paths, so a subsequent lxc-destroy removes the old rootfs.
Fix this by doing the copy_storage as early as possible, and not
writing down the rootfs when we write down the temporary configuration
file.
(note - I tested this by putting a series of
'if (strcmp(newname, "u%d") == 0) exit(1)' inline to trigger
interruption between most blocks. If someone has a good idea
for a generic way to regression-test this henceforth that'd be
great)
See https://bugs.launchpad.net/lxc/+bug/1285850
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fixes#131
changes since v1;
* uses btrfs snapshot feature only if src and dest are on same fs
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
There are only a few times when we need to be connected to the
cgroup manager:
* when starting a container, from cgm_init until we've set cgroup limits
* when changing a cgroup setting (while running)
* when cleaning up (when shutting down)
* around the cgroup entering at attach
So only connect/disconnect the cgmanager socket on-demand as
needed. This should have a few benefits.
1. Reduce the # open fds when many containers are running
2. if cgmanager is stopped and restarted, the container
doesn't have to deal with the disconnection.
This is currently RFC. There are a few issues outstanding:
1. the cgm_set and cgm_get may need to be made thread-safe.
2. a non-daemonized start which fails while cgm is connected,
will not disconnected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
