Move common container configuration entries into template config.
Remove unnecessary service symlinking and configuration entries, as well as
guest configs and other redundant configuration, fix minor script bugs.
Clean up template command line, add -d option to allow disabling services.
Also enable getty's on all configured ttys to allow logins via lxc-console,
set lxc.tty value corresponding to default Arch /etc/securetty configuration.
This patch simplifies Arch Linux template a bit, while fixing some
longstanding issues. It also provides common configuration based on
files provided for Fedora templates.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Note that building init.lxc.static still requires a static libutil.a
and libpthread.a, but these are available on most distro's through
glibc-static.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).
This should be applied to all arches, but iiuc stgraber will be doing
some reworking of the commonizations which will simplify that, so I'm
not doing it here.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When calling seccomp_rule_add(), you must pass the native syscall number
even if the context is a 32-bit context. So use resolve_name rather
than resolve_name_arch.
Enhance the check of /proc/self/status for Seccomp: so that we do not
enable seccomp policies if seccomp is not built into the kernel. This
is needed before we can enable by-default seccomp policies (which we
want to do next)
Fix wrong return value check from seccomp_arch_exist, and remove
needless abstraction in arch handling.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
seccomp_ctx is already a void*, so don't use 'scmp_filter_ctx *'
Separately track the native arch from the arch a rule is aimed at.
Clearly ignore irrelevant architectures (i.e. arm rules on x86)
Don't try to load seccomp (and don't fail) if we are already
seccomp-confined. Otherwise nested containers fail.
Make it clear that the extra seccomp ctx is only for compat calls
on 64-bit arch. (This will be extended to arm64 when libseccomp
supports it). Power may will complicate this (if ever it is supported)
and require a new rethink and rewrite.
NOTE - currently when starting a 32-bit container on 64-bit host,
rules pertaining to 32-bit syscalls (as opposed to once which have
the same syscall #) appear to be ignored. I can reproduce that without
lxc, so either there is a bug in seccomp or a fundamental
misunderstanding in how I"m merging the contexts.
Rereading the seccomp_rule_add manpage suggests that keeping the seccond
seccomp context may not be necessary, but this is not something I care
to test right now. If it's true, then the code could be simplified, and
it may solve my concerns about power.
With this patch I'm able to start nested containers (with seccomp
policies defined) including 32-bit and 32-bit-in-64-bit.
[ this patch does not yet add the default seccomp policy ]
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Commit 1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:
lxc.cap.keep =
clears the keep list, causing no capabilities to be dropped.
This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Commit 0af683cf added clearing of capabilities to lxc-init, but only
after lxc_setup_fs() was done, likely so that the mounting done in
that routine wouldn't fail.
However, in my testing lxc_caps_reset() wasn't really effective
anyway since it did not clear the bounding set. Adding prctl
PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I
don't think its necessary to forcefully clear all capabilities since
users can now specify lxc.cap.keep = none to drop all capabilities.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
OpenSUSE is now ready for the download template in the master branch,
however it's not going to be compatible with older LXC as they lack the
needed config files, so bump the compat level to 2 to indicate that the
current lxc-download can deal with the current OpenSUSE containers.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Originally we kept snapshots under /var/lib/lxcsnaps. If a
separate btrfs is mounted at /var/lib/lxc, then we can't
make btrfs snapshots under /var/lib/lxcsnaps.
This patch moves the default directory to /var/lib/lxc/c/snaps.
If /var/lib/lxcsnaps already exists, then we continue to use that.
add c->destroy_with_snapshots() and c->snapshot_destroy_all()
API methods. c->snashot_destroy_all() can be triggered from
lxc-snapshot using '-d ALL'. There is no command to call
c->destroy_with_snapshots(c) as of yet.
lxclock: use ".$lxcname" for container lock files
that way we can use /run/lock/lxc/$lxcpath/$lxcname/snaps as a
directory when locking snapshots without having to worry about
/run/lock//lxc/$lxcpath/$lxcname being a file.
destroy: split off a container_destroy
container_destroy() doesn't check for snapshots, so snapshot_rename can
use it. api_destroy() now does check for snapshots (previously it only
checked for fs - i.e. overlayfs/aufs - snapshots).
Add destroy to the manpage, as it was previously undocumented.
Update snapshot testcase accordingly.
[ rebased in the face of commits 840f05df and 7e36f87e. ]
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Any config lines not starting with 'lxc.*' are ignored by lxc. That
can be useful for third party tools, however lxc-clone does not copy such
lines.
Fix that by tracking such lines in our unexpanded config file and
printing them out at write_config(). Note two possible shortcomings here:
1. we always print out all includes followed by all aliens. They are
not kept in order, nor ordered with respect to lxc.* lines.
2. we're still not storing comments. these could easily be added to
the alien lines, but i chose not to in particular since comments are
usually associated with other lines, so destroying the order would
destroy their value. I could be wrong about that, and if I am it's
a trivial fix.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Currently when a container's configuration file has lxc.includes,
any future write_config() will expand the lxc.includes. This
affects container clones (and snapshots) as well as users of the
API who make an update and then c.save_config().
To fix this, separately track the expanded and unexpanded lxc_conf. The
unexpanded conf does not contain values read from lxc.includes. The
expanded conf does. Lxc functions mainly need the expanded conf to
figure out how to configure the container. The unexpanded conf is used
at write_config().
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Updated the lxc-opensuse template for the changes for the common
configuration used by the download template. Changed the default
network mode in the container to dhcp.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If a syscall is listed which is not resolvable, continue. This allows
us to keep a more complete list of syscalls in a global seccomp policy
without having to worry about older kernels not supporting the newer
syscalls.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
-P was only used for log setup and not when retrieving the container list.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The use of the download template with an hardcoded --arch=amd64 in aa.c
was causing test failures on any platform incapable of running amd64
binaries.
This wasn't noticed in the CI environment as we run the tests within
containers on an amd64 kernel but this caused failures on the Ubuntu CI
environment.
Instead, let's use the busybox template, tweaking the configuration when
needed to match the needs of the testcase.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Some error messages in lxc-test-apparmor didn't end with a newline,
leading to slightly difficult to read output.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-test-autostart occasionaly fails at the restart test in the CI
environment. Looking at the current test case, the most obvious race
there is if lxc-wait exists succesfuly immediately after LXC marked the
container RUNNING (init spawned) but before init had a chance to setup
the signal handlers.
To avoid this potential race period, let's add a 5s delay between the
tests to give a chance for init to finish starting up.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Do so early enough that we can report a meaningful failure.
(This should fix https://github.com/lxc/lxc/issues/225)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes sure all PyObject structs are always initialized to NULL,
this will fix issues such as (issue #239).
Also add a snapshot/list/restore testcase to the python3 api test code.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This hides some of the confusing "command X failed to receive response"
why are usually caused by another more understandable error.
On failure to start() from lxc-start, a new error message is displayed,
suggesting the user sets logfile and loglevel and if using -d, restarts
the container in the foreground instead.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is to deal with the GPG pool occasionaly yielding broken servers.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Set the halt.target action to be sigpwr.target. This allows
SIGPWR to properly shut the container down from lxc-stop.
Renable the systemd-journald.service.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
before using it, like the other snapshot api methods do.
This will need to go into stable-1.0 as well.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The template name isn't required, if it's not passed, then create will
simply be asked to create a container without a rootfs.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix configure_plamo so as not to configure wireless network interface
in containers even if the host uses wireless network interface.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds new functionality to lxc-autostart.
*) The -g / --groups option is multiple cummulative entry.
This may be mixed freely with the previous comma separated
group list convention. Groups are processed in the
order they first appear in the aggregated group list.
*) The NULL group may be specified in the group list using either a
leading comma, a trailing comma, or an embedded comma.
*) Booting proceeds in order of the groups specified on the command line
then ordered by lxc.start.order and name collalating sequence.
*) Default host bootup is now specified as "-g onboot," meaning that first
the "onboot" group is booted and then any remaining enabled
containers in the NULL group are booted.
*) Adds documentation to lxc-autostart for -g processing order and
combinations.
*) Parameterizes bootgroups, options, and shutdown delay in init scripts
and services.
*) Update the various init scripts to use lxc-autostart in a similar way.
Reported-by: CDR <venefax@gmail.com>
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
AC_SEARCH_LIBS always places the library being queried into LIBS. We
don't want that - we were only checking whether a function is
available. Not everything (notably not init.lxc.static) needs to
link against -lcgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Move choose_init into utils.c so we can re-use it. Make it and on_path
accept an optional rootfs argument to prepend to the paths when checking
whether the file exists.
Also add lxc.init.static to .gitignore
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
