1. commonize waitpid users to use a single helper. We frequently want
to run something in a clean namespace, or fork off a script. This
lets us keep the function doing fork:(1)exec(2)waitpid simpler.
2. start a blockdev backend implementation. This will be used for
mounting, copying, and snapshotting container filesystems.
3. implement btrfs, lvm, directory, and overlayfs backends.
4. For overlayfs, support a new lxc.rootfs format of
'bdevtype:<extra>'. This means you can now use overlayfs-based
containers without using lxc-start-ephemeral, by using
lxc.rootfs = overlayfs:/readonly-dir:writeable-dir
5. add a set of simple clone testcases
6. Write a new lxc_clone.c based on api clone.
Still to do (there's more, but off top of my head):
1. support zfs, aufs
2. have clone handle other mount entries (right now it only clones
the rootfs)
3. python, lua, and go bindings (not me :)
4. lxc-destroy: if lvm backing store, check for snapshots of it.
(what about directories which have overlayfs clones?)
Changes since v2:
Initialize random generator when picking new macaddr (reported
by caglar@10ur.org)
Fix wrong use of bitmask flags
On copy-clone of btrfs, create a subvolume
lxc_clone.c: respect the command line usage of the old script
lxc-clone(1): update documentation
Refuse to try changing backing stores expect to overlayfs, as
it is not implemented (yet) anyway.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Conflicts:
src/lxc/utils.h
On Fri, 26 Apr 2013 10:18:12 -0500
Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.engen@oracle.com):
> > On Fri, 26 Apr 2013 09:37:49 -0500
> > Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> >
> > > Quoting Dwight Engen (dwight.engen@oracle.com):
> > > > Using lxc configured with --enable-configpath-log, and
> > > > specifying a path to the lxc commands with -P, the log file
> > > > path is generated with a basename of LOGPATH instead of the
> > > > lxcpath. This means for example if you do
> > > >
> > > > lxc-start -P /tmp/containers -n test01 -l INFO
> > > >
> > > > your log file will be
> > > >
> > > > /var/lib/lxc/test01/test01.log
> > > >
> > > > I was expecting the log to be /tmp/containers/test01/test01.log.
> > > > This is particularly confusing if you also have test01 on the
> > > > regular lxcpath. The patch below changes the log file path to be
> > > > based on lxcpath rather than LOGPATH when lxc is configured with
> > > > --enable-configpath-log.
> > > >
> > > > I think that even in the normal non --enable-configpath-log case
> > > > we should consider using lxcpath as the base and not having
> > > > LOGPATH at all, as attempting to create the log files
> > > > in /var/log is not going to work for regular users on their own
> > > > lxcpath. If we want that, I'll update the patch to do that as
> > > > well.
> > >
> > >
> > > Perhaps we should do:
> > >
> > > 1. If lxcpath == default_lxc_path(), then first choice is
> > > LOGPATH, second is lxcpath/container.log
> > > 2. when opening, if first choice fails, use second choice
> > > if there is any.
> > >
> > > That way 'system' containers will go to /var/log/lxc, as I think
> > > they should. Custom-lxcpath containers should never go
> > > to /var/log/lxc, since their names could be dups of containers in
> > > default_lxc_path(). And if the system is a weird one where
> > > default_lxc_path is set up so that an unprivileged user can use
> > > it, then we should log into $lxcpath.
> >
> > That sounds good to me. So these rules would apply in both the
> > regular and --enable-configpath-log cases.
I updated the patch to try to open the log file according to the
choices given above. Along the way I cleaned up log.c a bit, making
some things static, grouping external interfaces together, etc...
Hopefully that doesn't add too much noise.
> > > (Note this patch will trivially conflict with my new lxc_clone.c
> > > causing it to fail to build - unfortunate result of timing)
> >
> > Yeah unfortunately this touches every lxc_log_init() caller. I can
> > work on the above logic and re-submit after your new lxc_clone
> > stuff goes in.
>
> No no, I'll just need to remember to update mine. Don't hold up on
> mine, this is just the nature of such collaboration :)
>
> > Did you have any thoughts on the XXX what to pass in for lxcpath in
> > lxc_init? Right now it just falls back to LOGPATH.
>
> No - that's a weird one, since lxc_init runs in the container. If
> there were only system containers I'd say always use LOGPATH.
> However there are people (apparently :) who use container sharing the
> host's rootfs...
>
> lxc-execute does know the lxcpath. Perhaps we can simply have
> src/lxc/execute.c:execute_start() look at handler->conf to see if a
> rootfs is set. If rootfs is NOT set, then pass lxcpath along to
> lxc-init. Then lxc-init can mostly do the same as the others? (It
> doesn't use src/lxc/arguments.c, so you'd have to add lxcpath to
> options[] in lxc-init.c)
So I did this, only to realize that lxc-init is passing "none" for the
file anyway, so it currently doesn't intend to log. This makes me
think that passing NULL for lxcpath is the right thing to do in
this patch. If you want me to make it so lxc-init can log, I can do
that but I think it should be in a different change :)
--
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Commit 69fe23ff added checking for the older docbook2man back into
configure, but this breaks building the docs on at least Oracle Linux and
Fedora when docbook2X is not installed as docbook2man will be found but the
docs don't actually build with that tool.
This change makes it so the docs can be built with either the older
docbook2man or the newer 2X tools by using configure to set the dtd
string to an appropriate value depending on use of docbook2man or
db2x_docbook2man.
Also fixed a small error in lxc-destroy.sgml.in that was noticed
by the old tools.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is based on patch from Papp Tamas (thanks). It also does some
reorganizing of lxc-create to commonize some of the backingstore handling.
I played with it using:
sudo lvcreate -L 100G -n zfs vg0
sudo zpool create lxc /dev/vg0/zfs
sudo lxc-create -B zfs --zfsroot lxc -t ubuntu -n dir2
or you could
qemu-img create zfs.img 100G
sudo qemu-nbd -c /dev/nbd0 zfs.img
sudo zpool create lxc /dev/nbd0
sudo lxc-create -B zfs --zfsroot lxc -t ubuntu -n dir2
I'll write the bdev.c handler and hook up lxc-clone next.
This also fixses a bug in the sed expression to extract the rootfs from
container config, which prepended an extra '/' to the rootdev. (That
caused the zfs list entry not to match at destroy)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: Papp Tamas <tompos@martos.bme.hu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If lxc_wait is called before the container has started the socket will not
yet have been created and lxc_wait's connect to it will fail. Starting the
daemon will create the socket for lxc_wait to connect to.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Because of an assertion in glibc's fork() wrapper that parent pid and
pid of child should never be the same, one should avoid fork() after
attaching to a PID namespace, since the pid inside the namespace may
coincide with the pid of the parent outside the namespace, thus hitting
the aforementioned assertion.
This patch just changes the code in the most simple manner to use
clone() instead of fork(). Since clone() requires a function to be
called instead of returning 0, we move the code of the child into a
function child_main.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds a reference to capabilities(7) to the lxc.conf manpage.
Signed-off-by: Tomáš Pospíšek <tpo_deb@sourcepole.ch>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds docbook2man as an alternative name for the docbook compiler.
As that name was used on Debian based systems for an older version of the tool,
this change also adds a check so that docbook2man is never used on Debian based
systems.
Reported-by: Peter Simons <simons@cryp.to>
Reported-by: Christian Bühler christian@cbuehler.de
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Otherwise we leave bad containers sitting around and further confuse
things on retries.
Reported-by: Mukanyiligira Didacienne <siyana223@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a long standing issue that there could only be a single
lxc-monitor per container.
With this change, a new lxc-monitord daemon is spawned the first time
lxc-monitor is called against the container and will accept connections
from any subsequent lxc-monitor.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Update the code to also match C.* so that C.UTF-8 doesn't make the
container creation fail.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Trying to start multiple containers concurrently may cause
lxc_monitor_read_timeout to fail as select call could be
interrupted by a signal, handle it.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous change used some 3.3-specific functions.
We still support 3.2 so revert to 3.2-compatible calls.
Reported-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This finally fixes a few issues with the magic
convert_tuple_to_char_pointer_array function.
This now clearly copies the char* from the python object so we don't
end up keeping reference to those.
Also add the few required free calls to free the content of the array.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Spotted by coverity, we were now assigning mntent but only every using
mntent_r, so drop those variables and assignation.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Trying to stop multiple containers concurrently ends up with "cgroup is not mounted" errors as multiple threads corrupts the shared variables.
Fix that stack corruption and start to use getmntent_r to support stopping multiple containers concurrently.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Introduce a new HTTP_PROXY variable in /etc/default/lxc. If unset or
set to none, then behavior continues as before. If set to 'apt', then
any http::proxy set in apt.conf will be used as http_proxy for
debootstrap, and specified in the container's
/etc/apt/apt.conf.d/70proxy. If set to something else, then the
value of HTTP_PROXY will be used as http_proxy for debootstrap and
specified in the container's 70proxy.
Changelog: (apr 23) merge the two apt proxy detection functions.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When using -P (lxcpath), the parameter path needs to be forwarded
to the various commands being run but not used by the nested lxc-ls
as it's relatively unlikely that both the host and the nested containers
use a custom path.
This isn't ideal but short of having a way to provide the container path
for every single of the nesting (with potential unlimited depth), it's
the best we can do.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- Drop disabled entries from allowed devices list
- Improve generated config layout a bit
- Drop redundant uname call
- Re-generate the SSH host keys on container creation
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a few issues uncovered by the recent C module fix.
In lxc-start-ephemeral, the hwaddr code wasn't actually working.
Replace by code that properly iterates through the network interfaces
and sets a new MAC address for each entry.
In the python overlay, catch the newly emitted KeyError when in
set_config_item (or setting any previously unset variable would fail).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fixes a lot of issues found by a code review done by Barry Warsaw.
Those include:
- Wrong signature for getters
- Various memory leaks
- Various optimizations
- More consistent return values
- Proper exception handling
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reported-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Barry Warsaw <barry@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Reimplement mkdir_p() such that it:
...handles relativ paths correctly. (currently it crashes)
...does not rely on dirname().
...is not recursive.
...is shorter. ;-)
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This reverts commit 5a5c35c3a0.
This commit was preventing startup of containers using lxc hooks and
shutdown of all other containers, requiring the use of a good old
kill -9 to get rid of lxc-start after a container shutdown.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 8de4140644.
This commit was preventing container startup on my machine, making them
all fail with various "No such file or directory" errors.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Reimplement mkdir_p() such that it:
...handles relativ paths correctly. (currently it crashes)
...does not rely on dirname().
...is not recursive.
...is shorter. ;-)
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
If the process in the new namespace dies very early
we have currently no chance to detect this.
The parent process will just die due to SIGPIPE
if it write to the fd used for synchronisation and
nobody will notice the real cause of the problem.
Install a SIGCHLD handler to detect the death.
Later when the child does execve() to the init within
the new namespace the handler will be disabled automatically.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
There is no need to use nested functions voodoo.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The recent change to use strtok_r causes a build warning with this older
gcc version, so initialize saveptr to NULL to quiet the compiler and
unbreak the build. There was no warning with gcc 4.7.2 that I
originally tested with.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
As Richard reported, dirname('//') returns //. But mkdir_p only stops
when called with '/', resulting in infinite recursion when given a
pathname '//foo/bar'.
Reported-by: richard -rw- weinberger <richard.weinberger@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch supports the scenario where a user wants to install a
busybox container on a busybox host.
When running the template, in order to change the root password,
the template needs to do the chroot. On busybox-powered hosts, chroot
is not part of the coreutils package - it's part of busybox. And the
busybox implementation or chroot only works if it has /lib in the new
root populated with the right binaries (or at least that's the
solution I found to make it work).
The temporarily bind-mounts /lib in the NEWROOT, chroots there,
changes the password, goes back and unmounts. This set of operations
is contained in a new MOUNT namespace, using the lxc-unshare call.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
pclose returns the exit status from wait, we need to check that to see if
the script itself failed or not. Tested a script that returned 0, 1, and
also one that did a sleep and then was killed by a signal.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Also check that we wrote the amount we expected to. The write on the pty
is blocking but we could still get a short write on EINTR, so we should
SYSERROR it.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This makes it match the manpage and be consistent with lxc-execute
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
