Point users in documentation to also enable POSIX capability for
dropping CAP_BOOT.
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This might result in more evident lack of support for POSIX capabilities
enabled as pointed in documentation
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Probably a mention to libcap-2 is worth keeping, though it might be
clearer to point to setcap binary directly.
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rationale: some distributions don't include /sbin in PATH for regular
users, thus setcap might not be found during configure
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
These options appear in 2.6.29 in different locations, update the sgml
accordingly
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
I think this explanation is better.
Signed-off-by: Christophe Quintard <christophe.quintard@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
this is the man page update following the
previous git commit 7cbfc4e441
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-execute has to return the exit code of it's child not others
as today's code would return the exit code of the last child.
We need to track the first process we launched and store its
exit status when it exits. In order to avoid to detect the exit
of this pid several time if the pids number wrap, we put an extra
flag saying the process group is orhpan.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
I did this one change by reading the code
but did not tried to run it.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the lxc_unlink_nsgroup may fail on ppc
where the stack is not zeroed by default
and because the readlink function do not add trailing null character.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Update the checkpoint and restart regarding the statefile parameter.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Howdy,
I was playing around with LXC containers this past weekend, and
noticed a couple of issues with the lxc-fedora script:
#1: Line 96 should be ${ROOTFS}/etc/sysconfig/network instead of
${ROOTFS}/sysconfig/network
#2 Line 249 contains a reference to $PKG, which isn't used in the
program. I adjusted the variable to point to the correct package, and
use this in the calls to yumdownloader:
PKG="${DISTRO}-release.noarch.rpm"
.....
yumdownloader --destdir="${CACHE}/partial" "${PKG}"
#3 The $CACHE/partial path is escaped unnecessarily:
RPM="rpm --root \"${CACHE}/partial\""
#4 The program assumes yumdownloader will work, which isn't always the
case. I added an if statement to check the return code:
echo "Downloading distribution release file ${PKG}"
yumdownloader --destdir="${CACHE}/partial" "${PKG}"
RESULT=$?
if [ "${RESULT}" != "0" ]; then
echo "Enable to download the distribution release file"
exit 1
fi
#5 The package name passed to yumdownloader is incorrect:
yumdownloader --destdir="${CACHE}/partial" "${DISTRO}-release.noarch.rpm"
On Fedora 10 and 11, this evaluates to:
fedora-release.noarch.rpm
When we need it to evaluate to:
fedora-{RELEASE_VER}.release.noarch
This is fixed in the PKG variable listed above.
A patch that addresses these issues is attached.
Thanks,
- Ryan
Signed-off-by: Matty <matty91@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The current code implies we have to define a utsname in order
to unshare it. This problematic in case of system container because
we want them to set their hostname. As the utsname namespace is
a COW, we can safely unshare it in all the cases.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The capability.h header is broken on fedora 11.
The workaround is to include <sys/types.h> before <sys/capability.h>.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Stupid me, we don't want to add a dependency to an external
tool as the library has to be standalone.
Just let lxc to define a .pc file, so the upper layer will
find the needed informations to use it.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rename lxc-config to lxc-version in order to avoid the confusion
with what looks like a container configuration tool.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As we have the correct informations with pkg-config we can
write a script which will collect the informations and we get
rid of the C program.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Don't clean up the sgml which are generated by configure, otherwise
at the next make, the documentation generation will complain about
missing files.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When we daemonize the container and we specify the log file,
the container will use the log file to write the console output.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
If needed the container can be launched in background
with a specific option -d.
That will make mute the container, the logs can help
to check what went wrong.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Save the tty configuration before calling lxc_start and
restore it right after it has been changed.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Hi,
I've been playing with lxc, though with --enable-test the test/ directory
doesn't compile, the following patch ought to fix this.
I've not tested tests throughly but seems straightforward enough.
Update the API usage in test/ as to make tests compile
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the common options of lxc commands
are now described in one file "common_options.sgml.in"
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the common references to lxc man pages
are now placed in one file "see_also.sgml.in"
Note that the few man pages that refer to man
pages that are not lxc ones have two "See Also" paragraph.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
remove an error message in lxc_wait.c that duplicate
an already existing error message in state.c
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Without this patch the lxc_wait may wait forever
if container is already in requested state.
Note that this patch avoids also to be hang if container do not exist yet.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the change introduced by commit 31c53c2e1a
do not allow anymore to have more than one monitor.
The purpose of this patch is to add an error message
when such a condition is identified, eg:
===
lxc-monitor: bind : Address already in use
===
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When no name is specified in the configuration file for an interface,
let the system to choose one nice name like "eth".
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
It is not easy to follow the cgroup name associated with a container,
so right after the container is created, I rename the cgroup which
is the pid of the creator by the container name.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As the checkpoint/restart is expected to be sequential,
I pass the file descriptor to checkpoint and restart, so
that will be up to the caller to open the file descriptor
which can be a pipe, socket, file, etc ...
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The checkpoint / restart code is too experimental regarding
the current implementation in the kernel.
As there are several implementation and we don't know which
one will be merged upstream, I remove the code and add a few
parameters to checkpoint.
The checkpoint/restart function will be plugins in order to choose
the CR solutions. This approach will allow to switch from one
implementation to another without breaking anything.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
There is no more need of the LXC_ERROR defines
and related lxc_strerror function.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This is useless because error is already reported by the functions
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
