v2: add get_config_item
clear_config_item is not supported, as it isn't for lxc.console, bc
you can do 'lxc.console.logfile =' to clear it. Likewise save_config
is not needed because the config is now just written through the
unexpanded char*.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Originally, we only kept a struct lxc_conf representing the current
container configuration. This was insufficient because lxc.include's
were expanded, so a clone or a snapshot would contain the expanded
include file contents, rather than the original "lxc.include". If
the host's include files are updated, clones and snapshots would not
inherit those updates.
To address this, we originally added a lxc_unexp_conf, which mirrored
the lxc_conf, except that lxc.include was not expanded.
This has its own cshortcomings, however, In particular, if a lxc.include
has a lxc.cgroup setting, and you use the api to say:
c.clear_config_item("lxc.cgroup")
this is not representable in the lxc_unexp_conf. (The original problem,
which was pointed out to me by stgraber, was slightly different, but
unlike this problem it was not unsolvable).
This patch changes the unexpanded configuration to be a textual
representation of the configuration. This allows us *order* the
configuration commands, which is what was not possible using the
struct lxc_conf *lxc_unexp_conf.
The write_config() now becomes a simple fwrite. However, lxc_clone
is slightly complicated in parts, the worst of which is the need to
rewrite the network configuration if we are changing the macaddrs.
With this patch, lxc-clone and clear_config_item do the right thing.
lxc-test-saveconfig and lxc-test-clonetest both pass.
There is room for improvement - multiple calls to
c.append_config_item("lxc.network.link", "lxcbr0")
will result in multiple such lines in the configuration file. In that
particular case it is harmless. There may be cases where it is not.
Overall, this should be a huge improvement in terms of correctness.
Changelog: Aug 1: updated to current lxc git head. All lxc-test* and
python api test passed.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Pull the #defines and struct definitions for btrfs into a separate
.h file to not clutter bdev.c
Implement btrfs recursive delete support
A non-root user isn't allow to do the ioctls needed for searching (as you can
verify with 'btrfs subvolume list'). So for an unprivileged user, if the
rootfs has subvolumes under it, deletion will fail. Otherwise, it will
succeed.
Changelog: Aug 1:
. Fix wrong objid passing when determining directory paths
. In do_remove_btrfs_children, avoid dereferencing NULL dirid
. Fix memleak in error case.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
On Ubuntu we need to set up the AppArmor profiles also under systemd.
Add a new helper "lxc-apparmor-load" and integrate it into lxc.service.
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
If /etc/rc.d/init.d/functions is not present or does not define an action()
function, provide a simple fallback using "echo".
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is the equivalent of the upstart lxc-net.conf to set up the LXC bridge.
This also drops "lxc.service" from tarballs. It is built source which depends
on configure options, so the statically shipped file will not work on most
systems.
https://launchpad.net/bugs/1312532
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Don't install systemd unit files into $(prefix), they won't work there.
Instead, get them from systemd's pkg-config file.
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Factor this out of the lxc-net.conf upstart job, so that it can be used by
init.d scripts and systemd units, too.
Part of https://launchpad.net/bugs/1312532
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We only call it (so far) after doing a fork(), so this is fine. If we
ever need such a thing from threaded context, we'll simply need to write
our own version for android.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This gives me:
ubuntu@c-t1:~$ lxc-create -t download -n u1
lxc_container: No mapping for container root
lxc_container: Error chowning /home/ubuntu/.local/share/lxc/u1/rootfs to container root
lxc_container: You must either run as root, or define uid mappings
lxc_container: To pass uid mappings to lxc-create, you could create
lxc_container: ~/.config/lxc/default.conf:
lxc_container: lxc.include = /etc/lxc/default.conf
lxc_container: lxc.id_map = u 0 100000 65536
lxc_container: lxc.id_map = g 0 100000 65536
lxc_container: Error creating backing store type (none) for u1
lxc_container: Error creating container u1
when I create a container without having an id mapping defined.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
policy is an unconfined_domain(), so it doesn't really enforce anything.
This change will provide a link in the documentation to an example
policy that does confine containers.
On more recent distributions with new enough policy, it is recommended
not to use this sample policy, but to use the types already available
on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:
process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds the few missing bits so that the new lxc.environment config
entry can be queried, cleared and saved as the others are.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
It's quite useful to be able to configure containers by specifying
environment variables, which init (or initscripts) can use to adjust the
container's operation.
This patch adds one new configuration parameter, `lxc.environment`, which
can be specified zero or more times to define env vars to set in the
container, like this:
lxc.environment = APP_ENV=production
lxc.environment = SYSLOG_SERVER=192.0.2.42
lxc.environment = SOMETHING_FUNNY=platypus
Default operation is unchanged; if the user doesn't specify any
lxc.environment parameters, the container environment will be what it is
today ('container=lxc').
Signed-off-by: Matt Palmer <mpalmer@hezmatt.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This forces wget to retry if it gets a network error.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Introduce a new -F option (no-op for now) as an opposite of -d.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Without this, if the system uses shared subtrees by default (like systemd), you
get a large stream of
lxc-start: Permission denied - Failed to make /<mountpoint> rslave
lxc-start: Continuing...
with
apparmor="DENIED" operation="mount" info="failed flags match" error=-13
profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave"
and eventual failure plus a lot of leftover mounts in the host.
https://launchpad.net/bugs/1325468
We detect whether ovs-vsctl is available. If so, then we support
adding network interfaces to openvswitch bridges with it.
Note that with this patch, veths do not appear to be removed from the
openvswitch bridge. This seems a bug in openvswitch, as the veths
in fact do disappear from the system. If lxc is required to remove
the port from the bridge manually, that becomes more complicated
for unprivileged containers, as it would require a setuid-root
wrapper to be called at shutdown.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Rather than always using eth0. Otherwise unpriv containers cannot have
multiple lxc.network.type = veth's without manually setting
lxc.network.name =.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch adds SIGPWR support to lxc_init.
This helps to properly shutdown lxc_init based containers.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also fix the comment in lxc-cirros template (which I overlooked last time).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
That mount hook predates the lxc.mount.auto = cgroup option. So mention
that instead.
Perhaps we should simply drop the mountcgroup hook from the tree, but
I'm not doing that in this patch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
These tests are failing on new kernels because the container root is
not privileged over the directories, since privilege no requires
the group being mapped into the container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
veth.pair is ignore for unprivileged containers as allowing an
unprivileged user to set a specific device name would allow them to
trigger actions in tools like NetworkManager or other uevent based
handlers that may react based on specific names or prefixes being used.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
When using unprivileged containers, tty fails because of vhangup. Adding
--nohangup to nimgetty, it fixes the issue. This is the same problem
occurred for oracle template, commit 2e83f7201c
Signed-off-by: Claudio Alarcon clalarco@gmail.com
The netdev->priv is shared for the netdev types. A bad config file
could mix configuration for different types, resulting in a bad
netdev->priv when starting or even destroying a container. So sanity
check the netdev->type before setting a netdev->priv element.
This should fix https://github.com/lxc/lxc/issues/254
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix btrfs support when lxc-create does not bind-mount the rootfs.
Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
