shutdown() when given a timeout already does a stop call so there's no
need to check its return value and do another one.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
When overriding wait(), I forgot to actually return the value coming
from the C binding...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Apparently a ")" was dropped in a recent change, causing
lxc-start-ephemeral to fail to start completely (invalid syntax).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Fix gcc error confile.c:83: error: redefinition of typedef ‘config_cb’.
Its already defined the same way in confile.h.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Add a few missing #if's to fix compilation when configured without
AppArmor.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
At Serge's suggestion, always convert the state passed to the wait()
function in the python API to its uppercase equivalent.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The previous commit was missing part of the changes, leading to a non-working
version of lxc-start-ephemeral.
This commit adds the missing parts.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This commit adds lxc-start-ephemeral as a python script using the
new python-lxc API.
This script is somewhat similar to lxc-clone except that it uses
overlayfs or aufs to provide an overlay on top of the source container.
It also allows the user to directly run a command in the container using
SSH and can fetch the IP address from the container when starting the
container in the background.
The initial work on lxc-start-ephemeral was done by Serge Hallyn in Ubuntu,
this is a re-implementation of it using python and the new LXC hooks.
Compared to the shell implementation, there are three notable differences:
- When starting without a command, lxc-start-ephemeral now attaches to tty1
- When starting in the background (-d), the name and IP of the container is
shown on screen.
- A new "-k" option is added, allowing the user to keep the ephemeral
container after shutdown. This turns off the tmpfs backend and sets up the
hooks so that the container can be started/stopped multiple times.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
So the container will be reparented by init. Otherwise children of the
lxc-start might be reaped by python3 rather than lxc-start.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This code was addeed to deal with stopped/dead containers but
really shouldn't be implemented there. Instead the setsid() call in
start() should be enough to prevent python from getting the SIGCHLD and
having to deal with it.
The liblxc API currently doesn't work as non-root, so check that the euid
is 0 when getting a Container instance in the python API.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Then after lxcapi container->create(), free whatever lxc_conf may be
loaded and reload from the newly created configuration file.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Replaced python-lxc/test.py by a new api_test.py script that
uses all the available function of the API to run a batch of
basic tests.
This example is useful both as a test of the API and as a guide on
how to use the python API to manage containers.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Add a new --enable-tests option to configure which is used to
optionally build the tests/examples. Default is off.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This happens in the container's namespace, but before the rootfs is
setup and mounted. This gives us a chance to mangle the rootfs - i.e.
ecryptfs-mount it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Otherwise it defaults to 0, meaning don't wait. -1 means wait forever,
which is what we want as the default behavior.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This is a simple POSIX shell script, so no need for the weird extension
or for the explicit use of /bin/bash
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This adds a basic python binding done in C and a python overlay to
extend some features and provide a user-friendlier API.
This python API only supports python 3.x and was tested with >= 3.2.
It's disabled by default in configure and can be turned on by using
--enable-python.
A basic example of the API can be found in src/python-lxc/test.py.
More documentation and examples will be added soon.
If the container doesn't reach RUNNING state in 5 seconds, a failure will be
returned to the user.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This turns liblxc into a public library implementing a container structure.
The container structure is meant to cover most LXC commands and can easily be
used to write bindings in other programming languages.
More information on the new functions can be found in src/lxc/lxccontainer.h
Test programs using the API can also be found in src/tests/
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When attaching to only some namespaces of the container but not the mount
namespace, the contents of /sys and /proc of the host system do not properly
reflect the context of the container's pid and/or network namespaces, and
possibly others.
The introduced -R option adds the possibility to additionally unshare the
mount namespace (when it is not being attached) and remount /sys and /proc
in order for those filesystems to properly reflect the container's context
even when only attaching to some of the namespaces.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
This patch allows the user to select any list of namespaces (network, pid,
mount, uts, ipc, user) that lxc-attach should use when attaching to the
container; all other namespaces will not be attached to.
This allows the user to for example attach to just the network namespace and
use the host's (and not the container's) network tools to reconfigure the
network of the container.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
In order to be able to reuse code in lxc-attach, the functions
lxc_namespace_2_cloneflag and lxc_fill_namespace_flags are moved from
lxc_unshare.c to namespace.c.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Use the command interface to contact lxc-start to receive the set of
flags passed to clone() when starting the container. This allows lxc-attach
to determine which namespaces were used for the container and select only
those to attach to.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
With the introduction of lxc-attach's functionality to attach to cgroups,
the setns() calls were put in the child process after the fork() and not the
parent process before the fork() so the parent process remained outside the
namespaces and could add the child to the correct cgroup.
Unfortunately, the pid namespace really affects only children of the current
process and not the process itself, which has several drawbacks: The
attached program does not have a pid inside the container and the context
that is used when remounting /proc from that process is wrong. Thus, the
previous logic of first setting the namespaces and then forking so the child
process (which then exec()s to the desired program) is a real member of the
container.
However, inside the container, there is no guarantee that the cgroup
filesystem is still be mounted and that we are allowed to write to it (which
is why the setns() was moved in the first place).
To work around both problems, we separate the cgroup attach functionality
into two parts: Preparing the attach process, which just opens the tasks
files of all cgroups and keeps the file descriptors open and the writing to
those fds part. This allows us to open all the tasks files in lxc_attach,
then call setns(), then fork, in the child process close them completely and
in the parent process just write the pid of the child process to all those
fds.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
when the container was started. This allows external programs to determine
which namespaces the container was unshared from.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Make 'dir' an explicit backing store type, which accepts '--dir rootfs'
as an option to specify a custom location for the container rootfs. Also
update lxc-destroy to now remove the rootfs separately, as removing
@LXCPATH@/$name may not hit it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Analogously to lxc.network.script.up, add the ability to register a down
script. It is called before the guest network is finally destroyed,
allowing to clean up resources that are not reset/destroyed
automatically. Parameters of the down script are identical to the up
script except for the execution context "down".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
For instance
lxc.include = /var/lib/lxc/commonopts
in /var/lib/lxc/q1/config would cause the configuration in
/var/lib/lxc/commonopts to be loaded when container q1 starts.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hi,
This patch is so far just a proof of concept. The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.
This patch introduces support for seccomp to lxc. Seccomp lets a program
restrict its own (and its children's) future access to system calls. It
uses a simple whitelist system call policy file. It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).
I just wanted to get this out there as a first step. You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
