lxc-init got moved into SBINDIR/init.lxc recently.
This broke sshd template because path wasn't updated there.
This patch should fix this issue.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Some scriptlets expect fstab to exist so create it before doing the
yum install
- Set the rootfs selinux label same as the hosts or else the PREIN script
from initscripts will fail when running groupadd utmp, which prevents
creation of OL4.x containers on hosts > OL6.x.
- Move creation of devices into a separate function
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
/proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls
which are properly namespaced. Allow writes to them from
containers.
Reported-by: Dan Kegel <dank@kegel.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
According to Serge, we no longer need to keep cgmanager connection open.
As long as my tests go it seems to be working fine.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
When outputing the lxc.arch setting, use i686 instead of x86 since the
later is not a valid input to setarch, nor will the kernel output
UTS_MACHINE as x86. The kernel sets utsname.machine to i[3456]86, which
all map to PER_LINUX32.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This change accepts all the same strings for lxc.arch that setarch(8) does.
Note that we continue to parse plain x86 as PER_LINUX32 so as not to break
existing lxc configuration files.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Failures were being ignored, leading up to an eventual segfault.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This only converts punctuation marks from FULLWIDTH COMMA/FULL STOP to
IDEOGRAPHIC COMMA/FULL STOP in Japanese man pages. The contents of man
pages do not change at all.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
I inadvertently introduced this with commit 8bf1e61e.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Check for symlinks before attempting create.
When attempting to create the compulsory symlinks in /dev,
check for the existence of the link using stat first before
blindly attempting to create the link.
This works around an apparent quirk in the kernel VFS on read-only
file systems where the returned error code might be EEXIST or EROFS
depending on previous access to the /dev directory and its entries.
Reported-by: William Dauchy <william@gandi.net>
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Tested-by: William Dauchy <william@gandi.net>
Originally we kept snapshots under /var/lib/lxcsnaps. If a
separate btrfs is mounted at /var/lib/lxc, then we can't
make btrfs snapshots under /var/lib/lxcsnaps.
This patch moves the default directory to /var/lib/lxc/lxcsnaps.
If /var/lib/lxcsnaps already exists, then use that. Don't allow
any container to be used with the name 'lxcsnaps'.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If you 'ip netns add x1', this creates /run/netns and /run/netns/x1
as shared mounts. When a container starts, it umounts these after
pivot_root, and the umount is propagated to the host.
Worse, doing mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) does not
suffice to change those, even after binding /proc/mounts onto
/etc/mtab.
So, I give up. Do this manually, walking over /proc/self/mountinfo
and changing the mount propagation on everything marked as shared.
With this patch, lxc-start no longer unmounts /run/netns/* on the
host.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
In the body of the manpage, replace a few errant 'fssize's with the
more appropriate word.
Reported-by: MegaBrutal <megabrutal@megabrutal.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
it actually sets us up to run the nih_mainloop, but we will never run
that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes it so that the host doesn't need to have an old, compat
version of db43_load installed by using the db_load from the just
installed container. Some newer distributions do not even have an old
enough compat-db4 package available.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
With this change, you can install a container from a mounted .iso, or any
yum repo with the necessary packages. Unlike the --url option, the repo
does not need to be a mirror of public-yum, but the arch and release must
be specified. For example to install OL6.5 from an .iso image:
mount -o loop OracleLinux-R6-U5-Server-x86_64-dvd.iso /mnt
lxc-create -n OL6.5 -t oracle -- --baseurl=file:///mnt -a x86_64 -R 6.5
The template will create two yum .repo files within the container such that
additional packages can be installed from local media, or the container can
be updated from public-yum, whichever is available. Local media must be bind
mounted from the host onto the containers' /mnt for the former .repo to work:
mount --bind /mnt $LXCPATH/OL6.5/rootfs/mnt
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Recent fixes in the apparmor kernel code is now making at least the CI
environment and quite possibly some others fail due to an invalid path
in the pivot_root stanza.
So update both lines to allow a more generic pivot_root call for
anything in LXC's work directory.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In this patch I tried to stick with each file's coding style, however I
think we should probably change that. Every main() should always not
return and only exit; they should always return EXIT_SUCCESS or EXIT_FAILURE
with the only exceptions being cases where we are returning a child's
exit status (lxc_execute, lxc_attach, lxc_init).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
So that exit status doesn't show up as 255.
Reported-by: Andrey Khozov <avkhozov@googlemail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When rebooting an unprivileged container, netpipe starts out
as not -1. If count_veths somehow changed this could lead
to trying to send data over nonexistent pipe. (Ok can't
*really* happen, as it currently stands, but it's an open
end)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's in favor of bash regex
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do not copy the pacman master key from the host, as this opens it to
attacks; generate a new secret hostkey.
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do not cherry-pick packages for the default install to avoid dependency
issues. Instead, install the base group modulo blacklisted packages.
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Place log file into LOGPATH instead of LXCPATH (but still use the
given lxcpath if the latter differs from LXCPATH).
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix parsing of /etc/lxc/default.conf, i. e. ignore comments, and don't
require whitespace left and right of the equal sign.
Make the early return actually work.
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When lxc-info's stdout is not line buffered (ie. "lxc-info -n foo |more")
the first three lines will be duplicated. This is because c->get_ips()
comes next and it forks and the child will exit() causing its fds to be
closed which flushes out its (fork duplicated) stdio buffers. The lines are
then duplicated when the parent actually gets around to flushing out its
stdio. This causes problems for programs (such as the lxc-webpanel) which
are popen()ing lxc-info.
The fix here isn't necessarily the right one, but does show what the
problem is. Seems like maybe we should fix this inside of get_ips(), for
other API callers as well.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Added lxc.arch to the resulting container configuration files
to support i686 on x86_64 cross arch containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,
Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.
Changelog (v2): remove trailing / from block path
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This should help it run better on slow test environment like the LXC CI
armhf builder.
- Wait longer for the container to start
- Wait longer for the container to shutdown
- On failure to shutdown, kill the container
- Always destroy the container if it's around
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
