This is not 100% correct, but will suffice until we fix the kernel so that
we can distinguish between bind mounts and namespaced cgroupfs mounts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Cgmanager was taught awhile ago that only some cgroup controllers are
crucial. Teach cgfs the same thing.
This patch needs improvement, but will fix failure of lxc without cgmanager
for unprivileged users for now. In particular, needed improvements include:
1. the check for crucial subsystems needs to include lxc.use
2. we should keep a list of the actually used subsystems so we don't keep
trying to chmod and enter after create has found we couldn't use a particular
subsystem
This fixes unprivileged lxc use. It does not appear to suffice to fix
nested unprivilegd lxd usage.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
New template script is more readable and robust, uses cache and external
LXC config file as other templates.
Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>
If we don't do this, we'll leak the parent's session id to the container,
which maybe doesn't matter, but it still seems better to set it anyway.
Also, it breaks CRIU for containers that don't call setsid themselves.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
If lxcfs starts before cgroup-lite, then the first cgroup mountpoints in
/proc/self/mountinfo are /run/lxcfs/*. Unprivileged users cannot access
these. So privileged containers are ok, and unprivileged containers are ok
since they won't cache those to begin with. But unprivileged root-owned
containers cache /run/lxcfs/* and then try to use them.
So when doing cgroup automounting check whether the mountpoints we have
stored are accessible, and if not look for a new one to use.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Previously we implemented two ways to get a pty for lxc-attach:
1. get a pty in the container
2. get a pty on the host
Where 1. was the default and 2. was only tried after 1. failed.
For safety and simplicity reasons, we remove 1. and just keep 2. around.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
- Add the description that automount is ignored when cgroup namespaces
are supported. Update for commit 4608594.
- Unify terminology of translation
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
describe that lxc-clone and lxc-start-ephemeral have been deprecated
in those man pages.
Update for commit 2ae6732.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
In that case containers will be able to mount cgroup filesystems
for themselves as they do on a host.
This fixes inability to start systemd based containers on cgns-enabled
kernels with cgmanager not running.
I've tested debian jessie, busybox, ubuntu trusty and xenial, all of
which booted ok. However if there are some setups which require
premounted cgroupfs (i.e. they don't mount if they detect being in
a container), this may cause trouble.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- lxc-clone and lxc-start-ephemeral are marked deprecated. We add a
--enable-deprecated flag to configure.ac allowing us to enable these
deprecated executables
- update tests to use lxc-copy instead of lxc-clone
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
- add deprecation not to man pages
- print deprecation info to stderr when the executables are invoked
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
- add note to lxc-clone manpage that it is superseded by lxc-copy
- add note to lxc-start-ephemeral manpage that it is superseded by lxc-copy
- fix typo in lxc-attach manpage
- fix some of my comments in lxc_ls.c
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
- explain rationale behind allocation of pty
- briefly explain how a pty is allocated
- add a short note that describes the changed behavior for lxc-attach when the
user is not placed in a writeable cgroup at login
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
- The code required to prepare an fd to act as a login tty is shared among
pty_on_host_callback() and fork_pty(). This implements login_pty(), a
minimalistic login_tty() clone, to avoid code redundancy.
- Give pty_in_container() a slightly extended comment.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
