warning with git am, white before tab correction
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The handler argument to lxc_fini() is never null.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
sv[0] has already been closed when reaching out_abort label.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
It makes sense to use goto when there's some rollback work to be done.
And it's nice for code clarity to add an explicit suffix to goto labels.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
I noticed lxc-console uses '^a' as command-mode prefix to
escape out of console session, so created a patch to make it
configurable. With this, you can do
lxc-console -n foo -e ^t
and exit the session with 'Ctrl+t q'.
For emacs-binding addicts (like me), it's always nice to
let shell handle '^a' as 'beginning-of-line' command...
Signed-off-by: Taisuke Yamada <tai@rakugaki.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The getline function allocate the needed memory. Fix buffer can lead
to 'hard to find' bug. I don't test the pivot_root part but the other
parts are ok.
Signed-off-by: Clement Calmels <clement.calmels@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Correct the way the struct dirent **namelist structure is freed.
Signed-off-by: Clement Calmels <clement.calmels@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc_config_define_add() and lxc_config_define_load() define
the interface to load a list of KEY=VAL buffers in the configuration
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc_config_readline() will be used to parse configuration variable
assigned from the command line with --define
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Just use a list instead of array for dynamically allocated stuff. It's
more appropriated.
Signed-off-by: Clement Calmels <clement.calmels@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Let's take an example:
fd = open(..) /* fd = 3 for example */
lxc_mainloop_add_handler(descr, fd, cb1, data1) fails.
the program take care of the error, it closes the fd
Later, reopen a fd (get 3 for again)
lxc_mainloop_add_handler(desc, fd, cb2, data2) is ok.
When something happen on fd, cb1 with data1 will be called instead of
cb2 with data2, because descr->ev contains 2 entries for fd == 3.
Signed-off-by: Clement Calmels <clement.calmels@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc_<cmd>.c and <cmd>.c files use the same log category : lxc_<cmd>.
The symbol is multiply defined and linking statically lxc commands is
not possible.
The patch introduces new log categories with a '_ui' suffix to
differentiate the command line interface from the library routine.
Reported-by: Ciprian Dorin, Craciun <ciprian.craciun@gmail.com>
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When the configuration path does not exist, lxc_create misleadingly
tells that it was not set.
Signed-off-by: Michael Holzt <lxc@my.fqdn.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc.pc and scripts/lxc-busybox are missing from .gitignore
Signed-off-by: Michael Holzt <lxc@my.fqdn.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rename doc/examples/lxc-complex-config.in to lxc-complex.conf.in as all other
examples in this directory have a .conf ending as well.
Signed-off-by: Michael Holzt <lxc@my.fqdn.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc currently does a chroot into the target rootfs. chroot is insecure and
can easily be broken, as demonstrated here:
| root@synergy:~# touch /this_is_the_realrootfs_ouch
| # touch /container/webhost/this_is_the_container
| # lxc-start -n webhost /bin/sh
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_realrootfs_ouch
code to break chroot taken from
http://www.bpfh.net/simes/computing/chroot-break.html
Now this can be fixed. As our container has his own mount namespace, we can
easily pivot_root into the rootfs and then unmount all old mounts. The patch
attached add a new config keyword which contains the path to a temporary
mount for the old rootfs (inside the container). This stops the chroot break
method shown before.
Example:
| root@synergy:~# grep pivotdir /var/lib/lxc/webhost/config
| lxc.pivotdir = /oldrootfs
| root@synergy:~# ls -lad /container/webhost/oldrootfs
| drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs
| root@synergy:~# lxc-start -n webhost /bin/sh
| # mount -t proc proc /proc
| # cat /proc/mounts
| rootfs / rootfs rw 0 0
| /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
| devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
| proc /proc proc rw,relatime 0 0
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_container
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Michael Holtz <lxc@my.fqdn.org>
conf object is on stack and is used in forked process.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
this is a side effect of previous patch I made
on this same function in commit
a6ddef6149
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
few added lines to document the new lxc-create -t option
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The future kernel 2.6.33 will incorporate the macvlan bridge
mode where all the macvlan will be able to communicate if they are
using the same physical interface. This is an interesting feature
to have containers to communicate together. If we are outside of the
container, we have to setup a macvlan on the same physical interface than
the containers and use it to communicate with them.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Cleanup the script, simplify it and pass the arguments to this
script to be callable by lxc-create template logic.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The lxc-create command is now able to call a sub script to install
a mini template.
Right now, debian is supported.
The rootfs is stored automatically in <lxcpath>/<name>/rootfs
So the rootfs is a subdirectory of the container configuration directory.
When lxc-destroy is called, the rootfs is deleted with the container
configuration.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The lxc-debian is epurated and consolidated with a better
error handling.
This script is no longer interactive but it installs in a specified
place the debian rootfs.
This script is not supposed to be called directly so it will fall in
libexec path very soon. This script is called by lxc-create
as a template with the right option and the right place.
The debian network configuration is by dhcp.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Some devices like veth or vlans have a bit of extra details that
are specific to them. Example veth.pair and vlan.vlanid.
Separate them from the common so we can update cleanly in the future.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This adds ability to migrate vlan interfaces into namespaces
by specifying them in a config
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Add utility functions to parse a u16 and put a u16 on a
netlink message
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If you're running (by mistake or typo) (via lxc-start) container that does not
exists it will run with lxc.rootfs=/, meaning that /sbin/init will
restart initialization procedure, efficiently messing host's system,
that may lead to unpredictable results or even destroy (make inaccessible) host
system (by reseting network configuration or something like that).
(Actually, it _did_ destroy system of everyone who tested this).
Actually, I finally lost any meaning of having such a feature for
full-system containers. You may not use hosts's FS - it's described at
above. You may not use some temporary directory - that's nonsense.
This patch forbinds starting container via lxc-start without rcfile and
custom start program, but probably it fixes only small part of problem.
I really don't see much sense in such a feature without ability of
overriding 'default' setting with command line switches. Anyway, default
behaviour should be as save as possible.
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The rcfile is parsed in the lxc_start function. This is not the place
to do that. Let's the caller to do that.
In the meantime, we have the lxc_conf structure filled right before
calling the lxc_start function so we can do some sanity check on the
configuration to not break the system when we launch the container.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
