lxc currently does a chroot into the target rootfs. chroot is insecure and
can easily be broken, as demonstrated here:
| root@synergy:~# touch /this_is_the_realrootfs_ouch
| # touch /container/webhost/this_is_the_container
| # lxc-start -n webhost /bin/sh
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_realrootfs_ouch
code to break chroot taken from
http://www.bpfh.net/simes/computing/chroot-break.html
Now this can be fixed. As our container has his own mount namespace, we can
easily pivot_root into the rootfs and then unmount all old mounts. The patch
attached add a new config keyword which contains the path to a temporary
mount for the old rootfs (inside the container). This stops the chroot break
method shown before.
Example:
| root@synergy:~# grep pivotdir /var/lib/lxc/webhost/config
| lxc.pivotdir = /oldrootfs
| root@synergy:~# ls -lad /container/webhost/oldrootfs
| drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs
| root@synergy:~# lxc-start -n webhost /bin/sh
| # mount -t proc proc /proc
| # cat /proc/mounts
| rootfs / rootfs rw 0 0
| /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
| devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
| proc /proc proc rw,relatime 0 0
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_container
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Michael Holtz <lxc@my.fqdn.org>
conf object is on stack and is used in forked process.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
this is a side effect of previous patch I made
on this same function in commit
a6ddef6149
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
few added lines to document the new lxc-create -t option
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The future kernel 2.6.33 will incorporate the macvlan bridge
mode where all the macvlan will be able to communicate if they are
using the same physical interface. This is an interesting feature
to have containers to communicate together. If we are outside of the
container, we have to setup a macvlan on the same physical interface than
the containers and use it to communicate with them.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Cleanup the script, simplify it and pass the arguments to this
script to be callable by lxc-create template logic.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The lxc-create command is now able to call a sub script to install
a mini template.
Right now, debian is supported.
The rootfs is stored automatically in <lxcpath>/<name>/rootfs
So the rootfs is a subdirectory of the container configuration directory.
When lxc-destroy is called, the rootfs is deleted with the container
configuration.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The lxc-debian is epurated and consolidated with a better
error handling.
This script is no longer interactive but it installs in a specified
place the debian rootfs.
This script is not supposed to be called directly so it will fall in
libexec path very soon. This script is called by lxc-create
as a template with the right option and the right place.
The debian network configuration is by dhcp.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Some devices like veth or vlans have a bit of extra details that
are specific to them. Example veth.pair and vlan.vlanid.
Separate them from the common so we can update cleanly in the future.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This adds ability to migrate vlan interfaces into namespaces
by specifying them in a config
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Add utility functions to parse a u16 and put a u16 on a
netlink message
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If you're running (by mistake or typo) (via lxc-start) container that does not
exists it will run with lxc.rootfs=/, meaning that /sbin/init will
restart initialization procedure, efficiently messing host's system,
that may lead to unpredictable results or even destroy (make inaccessible) host
system (by reseting network configuration or something like that).
(Actually, it _did_ destroy system of everyone who tested this).
Actually, I finally lost any meaning of having such a feature for
full-system containers. You may not use hosts's FS - it's described at
above. You may not use some temporary directory - that's nonsense.
This patch forbinds starting container via lxc-start without rcfile and
custom start program, but probably it fixes only small part of problem.
I really don't see much sense in such a feature without ability of
overriding 'default' setting with command line switches. Anyway, default
behaviour should be as save as possible.
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The rcfile is parsed in the lxc_start function. This is not the place
to do that. Let's the caller to do that.
In the meantime, we have the lxc_conf structure filled right before
calling the lxc_start function so we can do some sanity check on the
configuration to not break the system when we launch the container.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
commit 985d15b106 "fix fdleak and errors
in lxc_create_tty()" created a zero-sized malloc(), causing memory
corruption. use config->tty like all the other code does.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the same cleanup as in instanciate_macvlan(). Just makes code
shorter and less "jumpy" (as with goto back)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Currently we allocate veth device with random name on host side,
so that things like firewall rules or accounting does not work
at all. Fix this by recognizing yet anothe keyword to specify
the host-side device name: lxc.network.pair, and use it instead
of random name if specified.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The purpose of this patch is to limit the search
of pids to those in containers by looking at first
in the /cgroup/<name>/tasks when --lxc or --names options
are specified by user.
The idea is to speedup the output when only few
container names are specified while the machine
is running with many processes.
Signed-off-by: Michel Normand <michel.mno@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
With previous changes that allow to start a container
without the need to create it; the lxc-ls was only reporting
the created containers.
With this patch, the lxc-ls is now reporting created and active
containers.
Signed-off-by: Michel Normand <michel.mno@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
this state is reported when the lxc-freeze command
was issued on the container.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
if, for some reason, openpty() fails, lxc_create_tty() will
leak all previous ptys and leave the config structure in a
inconsistent state (wrt the number of ptys actually opened)
Fix that by explicitly closing all previously opened ptys
in case of failure and by setting number of actually opened
ttys after actual open
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Ensure that lxc.netdev.link is specified for macvlan interfaces,
since it's required.
While at it, simplify logic in instanciate_macvlan():
remove unnecessary-complicating goto statements (we only
need to perform a cleanup in one place)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Before, a veth device pair required a link which was treated as
a bridge device. Code crashed if there was no lxc.network.link
specified. Fix that by allowing lxc.network.link to be unset
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The container will be a directory where the user can store everything,
so we create one directory and store a configuration file inside.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
With the previous modifications, a temporary directory is created
to mount the rootfs in order to have the system container to remount
itself the '/' directory.
But in case of daemonize, we change the directory, so when the rootfs
is specified with a relative path, we can not access it.
Don't chdir, as that will be done automatically later in the chroot
setup.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
in confile.c we currently have a ton of functions each doing
the same thing. Clean them up by providing common routines
to do the main work.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
struct lxc_netdev is used to hold information from cnfig file
about a network device/configuration. Make the fields of this
structure to be named similarily with the config file keywords,
namely:
s/ifname/link/ - host-side link for the device (bridge or eth0)
s/newname/name/ - container-side ifname
It is insane to have completely different names in config file
and in structure/variable names :)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Update the man pages regarding the modifications around the
configuration option, volatile containers and new configuration
file format.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This function will be needed for the restart function.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This is not required immidiately but may be used by other init.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The command specifies a configuration file => use it
The command does not specify a configuration but the container
was created before, use the configuration.
The command does not specify a configuration and the container
was not created before, use default.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Instead of doing I/O one-byte-at-a-time in lxc_console,
which is slow, let's do it in batches. Only for output
(from container to the host system), since input is most
likely one-byte-at-a-time anyway (from a keyboard).
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
I noticed that container's consoles aren't quite useable
(be it lxc-console or lxc-start with getty bound to /dev/console).
The main problem is a complete lack of window resizing support:
when I resize an xterm window with lxc-start or lxc-console, the
"guest" does not know about that and continues to think that the
terminal is 80x25 still.
Is it just a lack of functionality (missing implementation) or
something problematic?
Ok, the attached patch fixes this.
It moves the 'master' variable out of main function so it's
accessible from the signal handler, sets up SIGWINCH handler
to call a (newly created) winsz() function that gets the
current tty size using TIOCGWINSZ ioctl and if that works,
sets up the pty size using TIOCSWINSZ. That same function
is called at the start as well, when setting up the signal
handler.
Signed-off-By: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-By: Daniel Lezcano <dlezcano@fr.ibm.com>
Maybe it will be more logical to keep configs into /etc/lxc/?
Or, maybe, just use --with-config-path=/some/path switch into configure,
which could be overridden as user wants to? Something like this one (in
assumption, that this is up to user to create corresponding directory):
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
<lxc/lxc.h> should only include what is needed. This patch removes
all useless headers from lxc.h and fixed other .c files.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
