follow new gentoo's download server configuration.
Should be backported in earlier lxc versions.
Signed-off-by: Guillaume ZITTA <lxc@zitta.fr>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This prevents on_exit() and atexit() handlers registered by the parent
process from being run in the forked intermediate process.
Signed-off-by: Johannes Henninger <johannes@henninger.io>
Otherwise lxc-stop -r has no effect on the container.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Also fix some minor indentation mishaps since we're here.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Following the model of f0f1d8c076, add a reboot
signal for special init processes that work on something other than SIGINT.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
At the commit 18aa217, the snapshot dir was moved to /var/lib/lxc/c/snaps.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This enables containers to mount fuse filesystems per default. The mount
is designed to be safe. Hence, it can be enabled per default in
common.conf. It will lead to a cleaner boot for some unprivileged
systemd-based containers.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This resolves the case where /proc/sysrq-trigger doesn't exist by simply
ignoring any mount failure on ENOENT. With the current mount list, this
will always result in a safe environment (typically the read-only
underlay).
Closes#425
v2: Don't always show an error
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It turns out the process command line is in fact null terminated on the stack;
this caused a bug where when the new process title was smaller than the old
one, the first environment entry would be rendered as part of the process
title.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-plamo stop:
* creating objects under /dev when creating the container
* removing /dev population process from original rc script
now populate /dev at container boot time, and allow to enable
lxc.autodev=1
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Not all kernels have these macros; they'll just give an EINVAL if/when invoked.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Instead of having a parent process that's called whatever the caller of the
library is called, we instead set it to "[lxc monitor] <lxcpath> <container>"
Closes#180
v2: check for null in tok for loop, only truncate environment when necessary
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Because we now create the ttys from inside the container, we had to
add an apparmor rule for start-container to bind-mount /dev/pts/** -> /dev/tty*/.
However that's not sufficient if the container sets lxc.ttydir, in
which case we need to support mounting onto files in subdirs of /dev.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We were trying to be smart and use whatever the last part of
the container's rootfs path was. However for block devices
that doesn't make much sense. I.e. if lxc.rootfs = /dev/md-1,
chances are that /var/lib/lxc/c1/md-1 does not exist.
So always use the $lxcpath/$lxcname/rootfs, and if it does
not exist, try to create it.
With this, 'lxc-clone -s -o c1 -n c2' where c1 has an lvm backend
is fixed. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1414771
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Lxc has always created the ptys for use by console and ttys early
on from the monitor process. This has some advantages, but also
has disadvantages, namely (1) container ptys counting against the
max ptys for the host, and (2) not having a /dev/pts/N in the
container to pass to getty. (2) was not a problem for us historically
because we bind-mounted the host's /dev/pts/N onto a /dev/ttyN in
the container. However, systemd hardocdes a check for container_ttys
that the path have 'pts/' in it. If it were only for (2) I'd have
opted for a systemd patch to check the device major number, but (1)
made it worth moving the openpty to the container namespace.
So this patch moves the tty creation into the task which becomes
the container init. It then passes the fds for the opened ptys
back to the monitor over a unix socketpair (for use by lxc-console).
The /dev/console is still created in the monitor process, so that
it can for instance be used by lxc.logfd.
So now if you have a foreground container with lxc.tty = 4, you
should end up with one host /dev/pts entry per container rather than 5.
And lxc-console now works with systemd containers.
Note that if the container init mounts its own devpts over the
one mounted by lxc, the tty /dev/pts/n will be hidden. This is ok
since it's only systemd that needs it, and systemd won't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Implements mixed mode for /sys where it's mounted read-only but with
/sys/devices/virtual/net/ writable.
- Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
templates.
- Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.
- Get rid of the fstab file by default, using lxc.mount.entry instead.
- Set sys:mixed as the default for "sys". sys:mixed is slightly more
permissive than sys:ro so this shouldn't be a problem.
The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.
v2 changes:
- Fix the mount list, don't specify a source for the remount.
- Update the documentation.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The lxc.tty configuration item specifies a number of ttys to create.
Historically, for each of those, we create a /dev/pts/N entry and
symlink it to /dev/ttyN for older inits to use. For systemd, we should
instead specify each tty name in a $container_ttys environment variable
passed to init.
See http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ and
https://github.com/lxc/lxc/issues/419.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
It is set in plamo.common.conf, so it do not need in plamo.userns.conf
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
At this time, a container that is created by lxc-plamo can't work with
lxc.autodev=1
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
1. tty5 is not needed
2. the devices should be optional in case they didn't exist in the
host / parent-container
3. switch from 'touch $rootfs/dev/$dev' to using create=file in the
mount entry.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Close#389
We will probably also want to switch the order of the mount attempts, as
the new overlay fs should quickly become the more common scenario.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- document environment variables
- add missing --packages switch to command line
- describe how to pass template options to lxc-create (since
lxc-create -h doesn't tell you)
- render help text in the same pretty format as lxc-create does
Signed-off-by: Tomáš Posíšek <tpo_deb@sourcepole.ch>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The `index` libc function was removed in POSIX 2008, and `strchr` is a direct
replacement. The bionic (Android) libc has removed `index` when you are
compiling for a 64-bit architecture, such as AArch64.
Signed-off-by: Patrick O'Leary <patrick.oleary@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
