Satoshi Matsumoto certainly had the right idea and in spotting a bug in
the lxc-fedora template for systemd detection. Heart was in the right
spot but patch was not what we needed.
I've looked the patch code over for systemd support and init/upstart
support and modified the logic appropriately. If /etc/systemd/system
exists, we'll do the right thing by systemd. If /etc/rc.sysinit exists,
we'll do the right thing by init / upstart. If both are installed,
we'll trying and accommodate both in case someone is playing games with
the two (I've done this).
Patch was trivial, just took more time to actually test it and create
some containers with it and verify them, than it did to code them.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This allows ability to now specify '--userdata' arguments to 'create' or
to 'clone'. So now, the following means very fast start of instances with
different user-data.
$ sudo lxc-create -t ubuntu-cloud -n precise -- \
-r precise --arch amd64
$ sudo lxc-clone -B overlayfs -o precise -s -n ephem1 \
--userdata="my.userdata1"
$ sudo lxc-clone -B overlayfs -o precise -s -n ephem2 \
--userdata="my.userdata2"
Also present here is
* an improvement to the static list of Ubuntu releases. It uses
ubuntu-distro-info if available degrades back to a static list on failure.
* moving of the replacement variables to the top of the create template This
is just to make it more obvious what is being replaced and put them in a
single location.
Signed-off-by: Scott Moser <smoser@ubuntu.com>
don't try to lock if using a specified tarball
The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs
managed under /var/cache/lxc/cloud-$release. Don't lock if we've
been handed a tarball.
fake device creation
Unprivileged users can't create devices, so bind mount null, tty, urandom
and console from the host.
Changelog:
Jul 22: as Stéphane points out, remove a left-over debug line
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Up to now lxc-create ensured that you were running as root. Now the
templates which require root need to do it for themselves. Templates
which do mknod definately require root.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The debugfs, fusectl, and securityfs may not be mounted inside a
non-init userns. But mountall hangs waiting for them to be
mounted. So just pre-mount them using $lxcpath/$name/fstab as
bind mounts, which will prevent mountall from trying to mount
them.
If the kernel doesn't provide them, then the bind mount failure
will be ignored, and mountall in the container will proceed
without the mount since it is 'optional'. But without these
bind mounts, starting a container inside a user namespace
hangs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Hey all!
Patch for the Fedora template. Several things...
1) A month or so ago, I floated an idea of adding an option for utsname
which Serge seemed to like but we let it float for more feedback (none
came).
2) In private mail to Serge and Stéphane I mentioned the idea of using
the CPE (Common Platform Enumeration) for host distro and version
identification. I heard back from Serge but not Stéphane. CPE is a
standard promoted by NIST and Mitre (along with CVE and CVSS) as part of
the security community as a common identification mechanism. It's
supported by RedHat based distros and many others (notable exception
Ubuntu). I've patched the Fedora template to parse first
the /etc/os-release file or, alternatively, the /etc/system-release-cpe
file for the distro ID and version instead of the human
readable /etc/redhat-release. There's more that can be done with that
in the realm of cross distro container builds, I suspect.
3) At the time of working on 1&2 I noticed that the retry logic in the
Fedora template just didn't seem right. I believe I posted a message
asking for clarification on that behavior. A recently post in the
-users list indicating that someone could not create a Fedora 19
container (because the release ver string was 19-2 and the template was
only looking for -1) prompted me to rework the retry logic for handling
the mirror list and servers as well as revamp the download logic to
properly identify the correct release package.
The patch for all of the above is attached below the jump. It's been
tested on Fedora 17 through Fedora 19 hosts and has created containers
for F11, F12, F13, F14, F16, F17, F18, and F19. F15 failed for rpm
dependency issues that are not worth fixing (IMHO).
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The new openssh uses a different mechanism to start/stop the daemon
which in turn requires a few tweaks in our template to deal with both
the new and old ways of doing that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Commit a0a2066d introduced an lxc subdir into the lxc-init path, but
this was never reflected in the sshd template. Add it there.
Don't have ssh-keygen ask for passphrase since host keys are not
supposed to use them.
Don't try to symlink kmsg since /dev is bind mounted readonly.
Read-only bind mount some extra /etc directories, and sysfs which are
needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc.
Find sshd in more places by adding some common paths to $PATH, and
use the found path to it instead of hardcoded /usr/sbin.
Check for ifconfig command, and print out container's IP address.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Use sed to set the specified alpine release in the copied
/etc/apk/repositories
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
pick random server from mirror list
use the latest stable release
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If the package manager, apk-tools is missing, then:
- download a static binary and public keys
- verify the keys against embedded checksum
- verify the signature of the static binary against the downloaded keys
- use the verified static binary
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is just some minor changes in the way the Fedora template is
synthesizing the target rootfs_path. Currently, the template uses a
path with the container in it twice like this:
/var/lib/lxc/rasputin/rasputin/rootfs
This happens because the container name is already contained in the
"path" and the template appends it a second time. This changes the
logic to be congruent with other templates such as lxc-arch. The new
behavior will be to create the rootfs like this:
/var/lib/lxc/rasputin/rootfs
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
sem_open(3) checks that /dev/shm is SHMFS_SUPER_MAGIC. Normally /dev/shm
is mounted in the initramfs created by dracut, but that won't be run for
a container so make sure that rc.sysinit mounts /dev/shm.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hey all...
Patch to the lxc-fedora template to setup gettys on the ttys that are
enabled in the configuration. The area of the code already had some
modifications to that service that didn't seem to do anything and would
get wiped out by an update. I commented that out but subsumed the
change it was attempting into my command in case it does something on
another rev somewhere.
This is very similar to the logic in the OpenSuse template but doesn't
seem to appear in other templates, such as arch, which have to deal with
systemd. This isn't unique to Fedora. The templates for Fedora,
ArchLinux, and OpenSuse are the only three that seem to have any
reference to systemd at all.
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This took a lot longer for me to get around to it... Sorry.
Patch to the lxc-fedora template.
I didn't get any further comments from my earlier proposal, weeks ago,
and did get one addition based on comments about properly setting the
hostname in /etc/hostname, which I've added. I could have broken them
into separate patches but most are pretty small and minor.
Changes:
* Map armv6l and armv7l architectures to "arm" for yum and repos to
function properly.
* Detect Fedora Remix distros with no "/etc/fedora-release" file
(Raspberry Pi) and find proper release versions when "remix" part of the
file context.
* Change default Fedora container on non-Fedora hosts to Fedora 17.
* Added code for autodev for Fedora systemd containers.
* Added code to set /etc/hostname for Fedora > 14 (systemd).
* Fix a few typos.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The patch removes the behavior of automatically mounting /lib
and /usr/lib, since this is duplicated a few lines below. It will
also remove the risk of failing when one of these entries are not
present on the host - e.g. on a 64bit machine.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Add a template to create a cirros container. One great thing about
cirros is that the image you download is 3.5M.
Thanks smoser!
Note by default /etc/inittab doesn't have a /dev/console entry, so you
don't get a login on the lxc-start console. Adding
console::respawn:/sbin/getty 115200 console
makes that work, but ctrl-c still gets forwarded to init which then
reboots. So I didn't bother adding console as part of the template
(yet). Instead I simply lxc-start -d, then lxc-console.
Signed-off-by: Scott Moser <scott.moser@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Don't allow write to /dev/rtc0, and remove sys_time.
Thanks, Christoph.
v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.
Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Update the code to also match C.* so that C.UTF-8 doesn't make the
container creation fail.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Introduce a new HTTP_PROXY variable in /etc/default/lxc. If unset or
set to none, then behavior continues as before. If set to 'apt', then
any http::proxy set in apt.conf will be used as http_proxy for
debootstrap, and specified in the container's
/etc/apt/apt.conf.d/70proxy. If set to something else, then the
value of HTTP_PROXY will be used as http_proxy for debootstrap and
specified in the container's 70proxy.
Changelog: (apr 23) merge the two apt proxy detection functions.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Drop disabled entries from allowed devices list
- Improve generated config layout a bit
- Drop redundant uname call
- Re-generate the SSH host keys on container creation
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This patch supports the scenario where a user wants to install a
busybox container on a busybox host.
When running the template, in order to change the root password,
the template needs to do the chroot. On busybox-powered hosts, chroot
is not part of the coreutils package - it's part of busybox. And the
busybox implementation or chroot only works if it has /lib in the new
root populated with the right binaries (or at least that's the
solution I found to make it work).
The temporarily bind-mounts /lib in the NEWROOT, chroots there,
changes the password, goes back and unmounts. This set of operations
is contained in a new MOUNT namespace, using the lxc-unshare call.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The ubuntu template will silently fail (because it is set -e) on
the locale-gen command when LANG=C
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix lxc-create to not word split template arguments. This makes
lxc-create -n ol -t oracle -- -r "at cronie wget" work since the argument
to -r will be passed as one arg instead of three.
Fix oracle template -u option to shift the correct amount.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates the various checks to match the grid below:
== lxc-ubuntu support per architecture ==
amd64: amd64, i386, armel, armhf, powerpc
i386: i386, armel, armhf, powerpc
armel: armel, armhf
armhf: armhf, armel
powerpc: powerpc
== lxc-ubuntu-cloud support per architecture ==
amd64: amd64, i386
i386: i386
armel: armel, armhf
armhf: armhf, armel
Note that most of the foreign architectures on x86 are supported
through the use of qemu-user-static. This one however isn't yet
support for cloud images (I'll send a patch for 1.0).
Also, qemu-user-static is technically able to emulate amd64 on i386
but qemu-debootstrap doesn't appear to know that and fails quite miserably.
We may also want to add a test for amd64 kernel but i386 userspace, which
is a valid combination that allows running an amd64 container on an i386
host without requiring emulation, but that's for another patch.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This fixes some issues found by Oracle QA, including several cosmetic
errors seen during container bootup.
The rpm database needs moving on Debian hosts similar to on Ubuntu.
I took Serge's suggestions: Do the yum install in an unshared
mount namespace so the /proc mount done during OL4 install doesn't
pollute the host. No need to blacklist ipv6 modules.
Make the default release 6.3, unless the host is OL, then default
to the same version as the host (same as Ubuntu template does).
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Debian 5.0 Lenny turned out of support on the 6th of February 2012.
From now on, the only supported Debian template is lxc-debian.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adaptation of systemd. We also add network configuration support.
Jiri Slaby: cleanups, rebase
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- create /etc/hostname as symlink to /etc/HOSTNAME
- fix inadequate space in lxc.mount config, preventing lxc-clone to work
Jiri Slaby: some cleanups
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit tweaks the layout of the config file for the Ubuntu templates.
With this, we now get a clear network config group, then a path related group,
then a bunch of random config options and the end of the config is apparmor,
capabilities and cgroups.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Check for lxcbr0, virbr0 and br0 and use one of those if they exist.
Set mac address if network type is veth.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add mknod to lxc.cap.drop since udev is conditioned on CAP_MKNOD capability.
Update base package list.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
