Add the function lxc_config_parse_arch that parses an architecture string
(x86, i686, x86_64, amd64) and returns the corresponding personality. This
is required for lxc-attach, which accepts architectures independently of
lxc.arch. The parsing of lxc.arch now also uses the same function to ensure
consistency.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-attach needs to be able to attach a process to specific cgroup, so
cgroup_attach is renamed to lxc_cgroup_attach and now also defined in the
header file.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-attach functionality reads /proc/init_pid/cgroup to determine the cgroup
of the container for a given subsystem. However, since subsystems may be
mounted together, we want to be on the safe side and be sure that we really
find the correct mount point, so we allow get_cgroup_mount to check for
*all* the subsystems; the subsystem parameter may now be a comma-separated
list.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc.cap.drop now also accepts numeric values for capabilities. This allows
the user to specify capabilities LXC doesn't know about yet or capabilities
that were not part of the kernel headers LXC was compiled against.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The function lxc_caps_last_cap() determines CAP_LAST_CAP of the current kernel
dynamically. It first tries to read /proc/sys/kernel/cap_last_cap. If that
fails, because the kernel does not support this interface yet, it loops
through all capabilities and tries to determine whether the current capability
is part of the bounding set. The first capability for which prctl() fails is
considered to be CAP_LAST_CAP.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch is to correct the manipulation of signal masks when
installing signal handlers for lxc-init.
Signed-off-by: Jian Xiao <jian@linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
All the signals (except fatal ones) are redirected to signalfd at lxc_init,
so the LXC_TTY_HANDLERs are redundant. This patch removes them.
Signed-off-by: Jian Xiao <jian@linux.vnet.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This lxc-monitor limitation deserves some lines in the manpage, until
something is done to allow several monitors to run concurrently.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
A typical usage is to start lxc-monitor in popen() and parse the ouput.
Unfortunately, glibc defaults to block buffering for pipes and you may
have to wait several lines before anything is written to stdout... this
prevent the use of lxc-monitor to implement automatons. Let's go line
buffered !
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Particularly for LTS releases, which many people will want to use in
their containers, it is not wise to not use release-security and
release-updates. Furthermore the fix allowing ssh to allow the container
to shut down is in lucid-updates only.
With this patch, after debootstrapping a container, we add -updates and
-security to sources.list and do an upgrade under chroot. Unfortunately
we need to do this because debootstrap doesn't know how to.
Changelog:
Nov 14: as Stéphane Graber suggested, make sure no daemons start on
the host while doing dist-upgrade from chroot.
Nov 15: use security.ubuntu.com, not mirror. (stgraber)
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When the cgroup is not mounted, we silently exit without giving
some clues to the user with what is happening.
Give some info and an explicit error.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When used in conjunction with a bridge, veth devices with random addresses
may change the mac address of the bridge itself if the mac address of the
interface newly added is numerically lower than the previous mac address
of the bridge. This is documented kernel behavior. To avoid changing the
host's mac address back and forth when starting and/or stopping containers,
this patch ensures that the high byte of the mac address of the veth
interface visible from the host side is set to 0xfe.
A similar logic is also implemented in libvirt.
Fixes SF bug #3411497
See also: <http://thread.gmane.org/gmane.linux.kernel.containers.lxc.general/2709>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin
from lxc.cap.drop as apparmor has/will have support for namespaces
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
To avoid name collisions between local and system header
files. For example, if you try to include the <pty.h>
system file, you end up including the one from lxc...
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The "" notation is preferrable if the header file is local.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The hardcoded URL seems to be broken and 404 error was not
checked. Now the mirror is selected from mirrorlist (instead of
hardcoding to funet.fi) and fetch errors are checked.
Also added a retry loop (with 3 tries) to find a working mirror, since
some of the mirrors are not OK.
Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
There is no i686 variant of Fedora, but Ubuntu seems to return i686
from the arch command.
Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The text says that 14 is default, but release=14 was not set anywhere
in the script.
Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
It prevents containers from getting a good resolv.conf without doing
ifdown eth0; ifup eth0.
(see pad.lv/880020)
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch adds a private argument to extend the struct
lxc_arguments. This is useful to develop custom lxc commands
outside mainline lxc.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch allows to create application containers with liblxc.so directly.
Some code cleanups on the way:
- separate ops for lxc_execute() and lxc_start(): the factorisation is wrong
here as we may have specific things to do if we're running an application
container. It deserves separate ops.
- lxc_arguments_dup() is merged in the pre-exec operation: this is a first
use for the execute op introduced just above. It's better to build the
arguments to execvp() where they're really used.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Cc: Cedric Le Goater <clg@fr.ibm.com>
Otherwise we end up with a bad container fstab and a container
that won't boot. See
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/879052
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The lxc-ls shell script uses netstat -xa to get a listing of AF_UNIX
sockets it then parses in order to determine the names of presently
running containers. This is wrong because it will list the
listening socket and all sockets created by accepting connections on
that. This causes the script to display the names of containers with
active lxc-console sessions 1 + n times, n being the number of active
console sessions. The patch below fixes this by using netstat -xl
instead which only displays the listening sockets.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Thought I had sent this before, but I don't find it anywhere.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If multiple cgroups are mounted under /sys/fs/cgroup, then the
original check ends up looking for /sys/fs/cgroup/cgroup.clone_children,
which does not exist because that is just a tmpfs.
So make sure to check an actual cgroupfs.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
/dev/shm is a symlink to /run/shm, so we need /run/shm
to exist in the container rootfs. Also, /dev/mqueue does
not exist on the host, and can't be created by the container.
But we don't really need it so ignore that.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
End the command with ';', which is needed, and put the hostname in
quotes (which doesn't really seem needed, but shown in man page).
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Commit 92c7f62955 broke the following scipts:
- lxc-setcap
- lxc-setuid
- lxc-create
This patch adds the missing variables to be substitued by the configure
script.
Cheers.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As discussed in thread:
http://sourceforge.net/mailarchive/forum.php?thread_name=4E5618C3.5060507%40free.fr&forum_name=lxc-devel
We think it's better for now to only warn the user about a fd leaking into
the container. Also remove the call to readlink() as it isn't really useful
now: since the container will start anyway, the user can look into /proc/../fd
or use lsof or whatever.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch fixes some makefile/specfile issues when running
rpmbuild with the distributed lxc specfile:
- fixes usage of installation directories for config files,
rootfs, templates and lxc-init so that they're calculated
at make time instead of configure time. Thanks to this,
all installed items go under $RPM_BUILD_ROOT when running
rpmbuild
- introduce --disable-rpath option to configure to avoid
check-rpaths errors when building non-root.
- introduce a lxc-libs package in the default spec file
to allow concurrent installation of 32 bit and 64 bit
libraries.
v2: - fix circular reference in lxc.pc
- ship lxc.pc with lxc-devel
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
