Commit Graph

2883 Commits

Author SHA1 Message Date
Stéphane Graber
c00f3f36e1 lxc-start: Daemonize by default
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-07-31 13:46:51 -04:00
Stéphane Graber
476d302ca2 lxc-start: Add -F (foreground) option
Introduce a new -F option (no-op for now) as an opposite of -d.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-07-31 13:46:31 -04:00
hallyn
b1814e1c69 Merge pull request #285 from martinpitt/master
apparmor: Allow slave bind mounts
2014-07-30 09:53:36 -05:00
Martin Pitt
7987eddb9f apparmor: Allow slave bind mounts
Without this, if the system uses shared subtrees by default (like systemd), you
get a large stream of

  lxc-start: Permission denied - Failed to make /<mountpoint> rslave
  lxc-start: Continuing...

with

  apparmor="DENIED" operation="mount" info="failed flags match" error=-13
  profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave"

and eventual failure plus a lot of leftover mounts in the host.

https://launchpad.net/bugs/1325468
2014-07-30 16:43:10 +02:00
Trần Ngọc Quân
04cda6d1d3 add help string for ubuntu templete
Signed-off-by: Trần Ngọc Quân <vnwildman@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-29 08:34:23 -05:00
Serge Hallyn
e2dafcdab9 fix typo in btrfs error msg
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-27 10:53:54 -05:00
Serge Hallyn
f50b163d1d fix typo
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-23 10:19:24 -05:00
Serge Hallyn
0d2047716a Support openvswitch bridges
We detect whether ovs-vsctl is available.  If so, then we support
adding network interfaces to openvswitch bridges with it.

Note that with this patch, veths do not appear to be removed from the
openvswitch bridge.  This seems a bug in openvswitch, as the veths
in fact do disappear from the system.  If lxc is required to remove
the port from the bridge manually, that becomes more complicated
for unprivileged containers, as it would require a setuid-root
wrapper to be called at shutdown.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-23 09:43:10 -05:00
Serge Hallyn
8aecd66b49 unprivileged containers: use next available nic name if unspecified
Rather than always using eth0.  Otherwise unpriv containers cannot have
multiple lxc.network.type = veth's without manually setting
lxc.network.name =.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-23 09:42:16 -05:00
Ansa89
31098f8b9d Sysvinit script fixes
Signed-off-by: Stefano Ansaloni <ansalonistefano@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-21 13:10:38 +02:00
Nikolay Martynov
5c7f03ae85 Add SIGPWR support to lxc_init
This patch adds SIGPWR support to lxc_init.
This helps to properly shutdown lxc_init based containers.

Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-21 11:45:32 +02:00
Serge Hallyn
cd6b3e37a6 remove mountcgroup hook entirely
Also fix the comment in lxc-cirros template (which I overlooked last time).

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-17 17:33:45 -05:00
Serge Hallyn
ed0ef61a77 Remove mention of mountcgroups in ubuntu.common config
That mount hook predates the lxc.mount.auto = cgroup option.  So mention
that instead.

Perhaps we should simply drop the mountcgroup hook from the tree, but
I'm not doing that in this patch.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-17 16:39:44 -05:00
Serge Hallyn
79d88b03ed lxc-test-{unpriv,usernic.in}: make sure to chgrp as well
These tests are failing on new kernels because the container root is
not privileged over the directories, since privilege no requires
the group being mapped into the container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-17 16:02:06 -05:00
KATOH Yasufumi
16a410466e doc: Add mention that veth.pair is ignored for unpriv in Japanese man
Update Japanese lxc.container.conf(5) for commit 8982c0f

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-16 12:42:25 -04:00
Stéphane Graber
8982c0fd5e
doc: Mention that veth.pair is ignored for unpriv
veth.pair is ignore for unprivileged containers as allowing an
unprivileged user to set a specific device name would allow them to
trigger actions in tools like NetworkManager or other uevent based
handlers that may react based on specific names or prefixes being used.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-15 21:32:46 -04:00
Claudio Alarcon-Reyes
7edae51efc centos template: prevent mingetty from calling vhangup(2)
When using unprivileged containers, tty fails because of vhangup. Adding
--nohangup to nimgetty, it fixes the issue. This is the same problem
occurred for oracle template, commit 2e83f7201c

Signed-off-by: Claudio Alarcon clalarco@gmail.com
2014-07-14 20:22:39 -04:00
Stéphane Graber
128d327ac2
Fix typo in previous patch
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-14 15:44:41 -04:00
Serge Hallyn
c5316d6030 confile: sanity-check netdev->type before setting netdev->priv elements
The netdev->priv is shared for the netdev types.  A bad config file
could mix configuration for different types, resulting in a bad
netdev->priv when starting or even destroying a container.  So sanity
check the netdev->type before setting a netdev->priv element.

This should fix https://github.com/lxc/lxc/issues/254

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-14 15:20:17 -04:00
Serge Hallyn
acf9f89e61 rootfs_is_blockdev: don't run if no rootfs is specified
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-14 13:23:38 -05:00
Stéphane Graber
cd62fd869c tests: lxc-test-ubuntu doesn't actually need bind9-host
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-09 13:31:13 -04:00
Stéphane Graber
c26adb8253
tests: Clarify error message and fix return codes
Reported-by: Michael J. Evans
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-09 13:17:54 -04:00
Alexander Dreweke
177f2cd2c2 lxc-debian: added support for package installation
- added --mirror, --security-mirror and --package parameters
- generate source.list
- install packages into final lxc instance

Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-09 10:20:04 -04:00
Alexander Dreweke
b3d3f3c661 lxc-debian: standardize formatting
Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-09 10:19:52 -04:00
Alexander Dreweke
cd44154ca7 lxc-debian: fix formatting
added space ">/" -> ">  /"

Signed-off-by: Alexander Dreweke <alexander@dreweke.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-09 10:19:38 -04:00
Stéphane Graber
e75a5c5c76
change version to 1.1.0.alpha1 in configure.ac
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 12:49:12 -04:00
Stéphane Graber
dfb2b5099c
Also add --verison support to lxc-start-ephemeral
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 12:48:07 -04:00
José Martínez
5652d61020 lxc-ubuntu: update coding style
Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 10:49:12 -04:00
José Martínez
b6e07af7c2 lxc-ubuntu: fix btrfs when rootfs == realrootfs
Fix btrfs support when lxc-create does not bind-mount the rootfs.

Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 10:49:09 -04:00
Stéphane Graber
211d9f5393
Add support for --version to lxc-ls and lxc-device
This is based on the patch submitted by:
 Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>

Updated to use lxc.version rather than @LXC_VERSION@ and to apply to
both lxc-ls and lxc-device rather than just the former.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 10:17:28 -04:00
Dorian Eikenberg
baeb5e37a9 Fix attach_wait and threads
Signed-off-by: Dorian Eikenberg <dorian.eikenberg@uni-duesseldorf.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-07 10:16:01 -04:00
Yuto KAWAMURA(kawamuray)
5bb2a6e87f Fix incorrect timeout handling of do_reboot_and_check()
Currently do_reboot_and_check() is decreasing timeout variable even if
it is set to -1, so running 'lxc-stop --reboot --timeout=-1 ...' will
exits immediately at end of second iteration of loop, without waiting
container reboot.
Also, there is no need to call gettimeofday if timeout is set to -1, so
these statements should be evaluated only when timeout is enabled.

Signed-off-by: Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-07-07 10:13:57 -04:00
Yuto KAWAMURA(kawamuray)
9827ecdb6d Change find_fstype_cb to ignore blank lines and comments
/etc/filesystems could be contain blank lines and comments.
Change find_fstype_cb() to ignore blank lines and comments which starts
with '#'.

Signed-off-by: Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-07-07 10:13:54 -04:00
Dwight Engen
6000d5bacb lxc-oracle: mount cgroup:mixed
- Mounting cgroup:mixed prevents systemd inside the container from
  moving its children out of the cgroups lxc setup. This ensure the
  limits setup in the configuration or with lxc-cgroup are effective.

- Update for the OL7 channel name that will be used on
  public-yum.oracle.com.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-03 15:39:11 -04:00
Rodrigo Vaz
d4ef230cc9 make the container exit code propagate to lxc-start exit code when appropriate
Signed-off-by: Rodrigo Sampaio Vaz <rodrigo@heroku.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-03 15:19:38 -04:00
Serge Hallyn
9a7c2aba46 chown_mapped_root: don't try chgrp if we don't own the file
New kernels require that to have privilege over a file, your
userns must have the old and new groups mapped into your userns.
So if a file is owned by our uid but another groupid, then we
have to chgrp the file to our primary group before we can try
(in a new user namespace) to chgrp the file to a group id in the
namespace.

But in some cases (when cloning) the file may already be mapped
into the container.  Now we cannot chgrp the file to our own
primary group - and we don't have to.

So detect that case.  Only try to chgrp the file to our primary
group if the file is owned by our euid (i.e. not by the container)
and the owning group is not already mapped into the container by
default.

With this patch, I'm again able to both create and clone containers
with no errors again.

Reported-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-07-03 15:17:03 -04:00
Stéphane Graber
6e39e4cbff Enable default seccomp profile for all distros
This updates the common config to include Serge's seccomp profile by
default for privileged containers.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-07-01 23:41:11 -04:00
hallyn
616d626b4e Merge pull request #244 from xose/btrfs
lxc-ubuntu: use btrfs subvolumes and snapshots
2014-06-30 16:18:35 -05:00
Jesse Tane
f2f545857c Apparmor: allow hugetlbfs mounts everywhere
Signed-off-by: Jesse Tane <jesse.tane@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-06-30 17:06:52 -04:00
Stéphane Graber
b4c1e35d24 Cast to gid_t to fix android build failure
stat.st_gid is unsigned long in bionic instead of the expected gid_t, so
just cast it to gid_t.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-30 15:19:19 -04:00
TAMUKI Shoichi
8b227008f6 Fix to work lxc-destroy with unprivileged containers on recent kernel
Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
lxc-destroy with unprivileged containers on recent kernel.

Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-30 12:25:13 -04:00
TAMUKI Shoichi
7b50c609e4 Fix to work lxc-start with unprivileged containers on recent kernel
Change chown_mapped_root() to map in both the root uid and gid, not
just the uid, so as to work lxc-start with unprivileged containers on
recent kernel.

Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-30 12:24:48 -04:00
Alexander Vladimirov
3fdd0ca89e Don't call sig_name twice, use pointer instead
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-27 15:23:48 -04:00
Serge Hallyn
1070908147 cgm_get: make sure @value is null-terminated
Previously this was done by strncpy, but now we just read
the len bytes - not including \0 - from a pipe, so pre-fill
@value with 0s to be safe.

This fixes the python3 api_test failure.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-27 13:51:33 -05:00
Serge Hallyn
d4ff964559 cgmanager: have cgm_set and cgm_get use absolute path when possible
This allows users to get/set cgroup settings when logged into a different
session than that from which they started the container.

There is no cgmanager command to do an _abs variant of cgmanager_get_value
and cgmanager_set_value.  So we fork off a new task, which enters the
parent cgroup of the started container, then can get/set the value from
there.  The reason not to go straight into the container's cgroup is that
if we are freezing the container, or the container is already frozen, we'll
freeze as well :)  The reason to fork off a new task is that if we are
in a cgroup which is set to remove-on-empty, we may not be able to return
to our original cgroup after making the change.

This should fix https://github.com/lxc/lxc/issues/246

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-06-27 13:08:54 -04:00
Alexander Vladimirov
23cc88bae0 lxc-archlinux.in: update securetty when lxc.devttydir is set
Update container's /etc/securetty to allow console logins when lxc.devttydir is not empty.
Also use config entries provided by shared and common configuration files.

Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-06-27 13:05:39 -04:00
Alexander Vladimirov
99cbd2996b lxc-archlinux.in: Add pacman keyring initialization back
Shuffle around usage text a bit and add missing -d while there.

Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-06-27 13:03:57 -04:00
Stéphane Graber
0d7cf7e9da attach: Fix querying for the current personality
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-25 15:34:46 -04:00
Stéphane Graber
5b99af0079 Reduce duplication in new style configs
This is a rather massive cleanup of config/templates/*

As new templates were added, I've noticed that we pretty much all share
the tty/pts configs, some capabilities being dropped and most of the
cgroup configuration. All the userns configs were also almost identical.

As a result, this change introduces two new files:
 - common.conf.in
 - userns.conf.in

Each is included by the relevant <template>.<type>.conf.in templates,
this means that the individual per-template configs are now overlays on
top of the default config.

Once we see a specific key becoming popular, we ought to check whether
it should also be applied to the other templates and if more than 50% of
the templates have it set to the same value, that value ought to be
moved to the master config file and then overriden for the templates
that do not use it.

This change while pretty big and scary, shouldn't be very visible from a
user point of view, the actual changes can be summarized as:
 - Extend clonehostname to work with Debian based distros and use it for
   all containers.
 - lxc.pivotdir is now set to lxc_putold for all templates, this means
   that instead of using /mnt in the container, lxc will create and use
   /lxc_putold instead. The reason for this is to avoid failures when the
   user bind-mounts something else on top of /mnt.
 - Some minor cgroup limit changes, the main one I remember is
   /dev/console now being writable by all of the redhat based containers.
   The rest of the set should be identical with additions in the per-distro
   ones.
 - Drop binfmtmisc and efivars bind-mounts for non-mountall based
   unpriivileged containers as I assumed they got those from copy/paste
   from Ubuntu and not because they actually need those entries. (If I'm
   wrong, we probably should move those to userns.conf then).

Additional investigation and changes to reduce the config delta between
distros would be appreciated. In practice, I only expect lxc.cap.drop
and lxc.mount.entry to really vary between distros (depending on the
init system, the rest should be mostly common.

Diff from the RFC:
 - Add archlinux to the mix
 - Drop /etc/hostname from the clone hook

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-24 16:40:48 -04:00
Alexander Vladimirov
fd986e0874 Prevent write_config from corrupting container config
write_config doesn't check the value sig_name function returns,
this causes write_config to produce corrupted container config when
using non-predefined signal names.

Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-06-24 16:18:33 -04:00