When you start a container in daemon model, you have at least
3 processes:
1. The command the user start (lxc-start -d)
2. The backgrounded fork of that command after start() is done
3. The container init process
In PID file, we need (2), but currently we are writing (1),
this is wrong because (1) exits as soon as the container is
started, it's complately useless.
So we write pid after daemonize, so that we'll always write
the right pid to PID file.
Reported-by: Stephane Graber <stgraber@ubuntu.com>
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
So we can remove PID file untill lxc_container_free.
This also fix bug: https://github.com/lxc/lxc/issues/89
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In the daemonized case we will fork, so the anonymous container memlock
will not be shared between parent and child.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Coverity warns of the danger of a short read otherwise.
(Untested, but should be correct; Tossing over to you :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: S.Çağlar Onur <caglar@10ur.org>
Acked-by: S.Çağlar Onur <caglar@10ur.org>
Don't try to print the PID, IP addresses or statistics for a container
that's not current running.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-ps and lxc-netstat have an unfortunate tendency to break every so
often, produce mostly unreadable output and should be replaced by a
lxc-attach call in 99% of the cases.
In an effort to cleanup the lxc-* namespace, I think those two should
go, so this patch gets rid of them as well as any reference to them in
our documentation.
I also think that lxc-version should disappear as it's only a one line
shell script printing the version string, so having a whole command just
for that seems to be a bit of a waste.
Instead, this patch introduces a new --version common option which all
binaries will automatically inherit and that'll print LXC_VERSION on
stdout and exit 0.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds a basic bash auto-completion profile.
It supports 3 things at this time:
- Auto-complete of container name (-n or -o)
- Auto-complete of template name (-t)
- Auto-complete of state names (-s)
It's configured in a way to be as little disruptive as possible, any
argument that's not explicitly handled by the profile will fallack to
bash's default completion.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates the Fedora and CentOS templates to utilize a common
included config. This is largely based on the changes in the Oracle
template with some exceptions.
Dropping of setpcap (present in the Oracle template) is commented out in
the Fedora template. It seems to cause problems, such as large login
delays with Fedora 20 containers (but not Fedora 19 - strange).
The Fedora template is further modified to disable systemd-journald.service
as it is unnecessary in a container and causes serious problems when
running in a Fedora 20 container.
The Fedora template is also updated to default to Fedora 20 when running
on a non-Fedora host.
Regards,
Mike
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Based on Stéphane's suggestion, those two API methods now;
* fork a new process,
* switch to appropriate namespace(s),
* do what we want,
* return the data over a pipe to the parent which returns the result to the original caller.
For the whole thread please see;
https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-January/007362.html
This patch also makes lxc-ls and lxc-info call those functions.
I'm adding Stéphane as an author here since both the idea as well as
the initial setns code come from him.
Author: S.Çağlar Onur <caglar@10ur.org>
Author: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
commit f436448445 introduced attach
functionality to unprivileged containers so remove this check like
the rest of the attach functions.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes command line tools and functions which use
lxc_global_config_value o get lxcpath but don't strip the trailing /
leading to mismatching command path (as lxc_container_new does strip the
path).
As lxcpath is typically a const and so can't easily be changed by the
caller, add the trick directly into lxc_global_config_value (having to
juggle a bit in there too to avoid trying to alter a const).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This change makes lxc-attach and the matching API functions work
properly with unprivileged containers.
The trick needed to make that possible was to always start with the
userns when attaching and also relocate the cgroup management code so
that the intermediate process is moved to the cgroup before attaching to
the container's namespace as doing so later would fail due to missing
permissions.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds a fallback to the daily channel if an image couldn't be found
in the released one.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Include the IPv4/IPv6 prefix if it's set.
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Return an error if the function is not supposed to be called by an unprivileged user.
Otherwise those calls fail in the middle of their execution with different reasons.
changes since v2:
- am_unpriv is now a simple geteuid check,
- API functions are now providing error messages,
- lxc-info, lxc-attach are now checking geteuidi,
- lxc-ls is now calling get_ips only if the container is running
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also replace a wrong free of nih-allocated variable with nih_free.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When start container with daemon model, we'll have a new daemon
process in lxcapi_start, whose c->numthreads is 2, inherited
from his father. Even his father return to main(), the
lxc_container_put won't affect son's numthreads.
So when daemon stops, he should return to main and do
lxc_container_put again, rather than exit and leave the
container alone.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Checkpoint/restart isn't currently supported, so let's not carry those
binaries around until we have proper CRIU support in the API.
lxc-kill is redundant with lxc-stop -k and has been known to confuse user.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds the 3 upstart jobs that we've had in Ubuntu for a while:
- lxc.conf: Main upstart job, triggers lxc-net.conf based on config
- lxc-instance.conf: Triggered by lxc.conf for each auto-started container
- lxc-net.conf: Triggered by lxc.conf, sets up lxcbr0, NAT, mangling, ...
In addition, there are two extra config files in /etc/default:
- lxc: Allows setting some values like http proxying, disabling autostart, ...
- lxc-net: Network configuration for the lxcbr0 bridge
This change also disables the sysv script for all distros but Oracle as
the current script won't work on either Ubuntu nor Debian and I suspect
quite a few more distros, so it's not nearly as distro-agnostic as we
thought.
For Debian, only install the upstart jobs and systemd unit.
For Ubuntu, only install the upstart jobs.
This change also moves all the init related stuff to config/init/
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds rename(new_name) to the binding as well as two new const,
LXC_CLONE_KEEPBDEVTYPE and LXC_CLONE_MAYBE_SNAPSHOT.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
1. don't return bools for int-return functions
2. copy the filename to controller before using it
3. use full filename not just the key to pass to cgmanager
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
ValueError typically means that the user doesn't have permissions to
access the directory. Raising an exception there isn't consistent with
other error behaviour of list_containers which simple returns an empty
tuple.
So simply catch the exception and ignore it. An error message is already
printed by LXC itself anyway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Look through all LXC code and seems like only here are missed.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is perfectly safe since you cannot unmount the host fs from
a child userns.
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
