Commit Graph

4801 Commits

Author SHA1 Message Date
Matt Keeler
cd85f31e26 Use LXC_ROOTFS_MOUNT in clonehostname hook
Previously this hook did not work when cloning containers using an overlayfs snapshot as the LXC_ROOTFS_PATH didn't point to the actual filesystem that the container would see. LXC_ROOTFS_MOUNT should be used instead and in fact lxc.container.conf man page says that you usually would want to use the _MOUNT variant.

Signed-off-by: Matt Keeler <mjkeeler7@gmail.com>
2017-02-23 10:13:16 -05:00
Christian Brauner
4fbf4a3172 Merge pull request #1441 from tych0/only-do-bind-mounts
c/r: only supply --ext-mount-map for bind mounts
2017-02-22 18:29:41 +01:00
Christian Brauner
f79384762e Merge pull request #1438 from stgraber/master
lxc-download: Bump compat level to 4
2017-02-19 23:13:31 +01:00
Stéphane Graber
3ab18243f2
lxc-download: Bump compat level to 4
For templates introduced after LXC 2.0 was released.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-02-19 15:17:39 -05:00
Stéphane Graber
5ae75b1d59 Merge pull request #1437 from ganto/lxc-fedora
Various fixes for Fedora bootstrapping on non-Fedora hosts
2017-02-18 11:52:44 -05:00
Reto Gantenbein
3256fa1797 Fix argument parsing for recently added parameters
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:48 +01:00
Reto Gantenbein
e93dfa9c34 Adjust indenting
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:42 +01:00
Reto Gantenbein
509140b0cd Various fixes for bootstrap image download via HTTPS
- Make sure mirror URL is queried for $FEDORA_RELEASE_DEFAULT
- Fix image path for URLs queried via mirror list

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:36 +01:00
Reto Gantenbein
c898497de8 Fix undefined arch on initial bootstrap setup
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:29 +01:00
Christian Brauner
ba54e0846c Merge pull request #1435 from stgraber/master
sabayon: Use /bin/bash
2017-02-18 01:34:51 +01:00
Stéphane Graber
4e133789e1
sabayon: Use /bin/bash
The script is full of bashisms making it break when run with a simple
POSIX shell.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-02-17 17:06:23 -05:00
Stéphane Graber
a75c00c6d0 Merge pull request #1371 from ganto/lxc-fedora
Complete rework of lxc-fedora template
2017-02-16 22:12:33 +01:00
Tycho Andersen
19d2422b99 c/r: only supply --ext-mount-map for bind mounts
The rest of the mounts can be restored normally.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2017-02-15 11:28:24 -07:00
Serge Hallyn
c5bce6ee3c Merge pull request #1428 from kilobyte/master
fix seccomp blocking x32 guests on amd64 (userspace) hosts
2017-02-14 23:35:02 -06:00
Christian Brauner
1f14c2ea3d Merge pull request #1430 from ffontaine/master
Add HAVE_LIBCAP
2017-02-12 16:32:37 +01:00
Fabrice Fontaine
e37dda7156 Add HAVE_LIBCAP
Currently it is impossible to build lxc with --disable-capabilities if
the user has libcap-dev installed on his system as:
 - calls to cap_xxx functions are not protected by HAVE_LIBCAP defines.
 The whole file is only protected by HAVE_SYS_CAPABILITY_H.
 - AC_CHECK_LIB default action-if-found is overriden by [true] so
 HAVE_LIBCAP is never written to config.h

This patch replaces all HAVE_SYS_CAPABILITY_H checks by HAVE_LIBCAP
checks (fix #1361)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2017-02-12 14:55:05 +01:00
Adam Borowski
11de80d63c seccomp: allow x32 guests on amd64 hosts.
Without this patch, x32 guests (and no others) worked "natively" with x32
host lxc, but not on regular amd64 hosts.  That was especially problematic
as a number of ioctls such as those needed by netfilter don't work in such
scenarios, thus you want to run amd64 on the host.

With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts.

Despite x32 being little used, there's no reason to deny it by default:
the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on
Debian) boot with syscall.x32=y.  If they've done so, it is a reasonable
assumption they want x32 guests.

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
2017-02-12 07:26:54 +01:00
Stéphane Graber
3a5cb1afff Merge pull request #1424 from brauner/2017-02-08/thomasDOTjaroschATintra2netDOTcom_pty_sigttou
lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
2017-02-08 17:07:26 +01:00
Stéphane Graber
b93fbd2486 Merge pull request #1425 from cebe/patch-1
Make lxc-net return non-zero on failure
2017-02-08 17:06:33 +01:00
Carsten Brandt
4f4e7141dd
Make lxc-net return non-zero on failure
I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:

    # service lxc-net status
    ● lxc-net.service - LXC network bridge setup
       Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
       Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
      Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
     Main PID: 529 (code=exited, status=0/SUCCESS)
       CGroup: /system.slice/lxc-net.service

    Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
    Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
    Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
    Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.

Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.

Signed-off-by: Carsten Brandt <mail@cebe.cc>
2017-02-08 14:54:02 +01:00
Thomas Jarosch
4dc96430af lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
Prevent an endless loop while executing lxc-attach in the background:

The kernel might fire SIGTTOU while an ioctl() in tcsetattr()
is executed. When the ioctl() is resumed and retries,
the signal handler interrupts it again.

We can't configure the TTY to stop sending
the signals in the first place since that
is a modification/write to the TTY already.

Still we clear the TOSTOP flag to prevent further signals.

Command to reproduce the hang:
----------------------------
cat > lxc_hang.sh << EOF
/usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true
EOF
sh lxc_hang.sh    # hangs
----------------------------

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
2017-02-08 13:50:47 +01:00
Reto Gantenbein
577eb5e3e3 Change Fedora mirror downloads to https by default, rsync optional
This mainly affects the download of the bootstrap image when
running on a non-Fedora host and the initial download of the
repo and release RPMs. The container rootfs creation will then
be verified by dnf against the GPG signatures in the repos RPM.

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-07 07:07:45 +01:00
Reto Gantenbein
52c4c3682d Query Fedora mirror list over HTTPS
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-07 07:07:40 +01:00
Stéphane Graber
920da314e6 Merge pull request #1422 from brauner/2017-06-02/clear_config_vals
confile: clear lxc.network.<n>.ipv{4,6} when empty
2017-02-06 23:49:30 +01:00
Christian Brauner
0797e123e0
confile: clear lxc.network.<n>.ipv{4,6} when empty
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-06 23:08:26 +01:00
Stéphane Graber
01b791a9d3 Merge pull request #1410 from brauner/2017-02-02/fix_compiler_error
conf/ile: make sure buffer is large enough
2017-02-02 05:34:16 -05:00
Christian Brauner
9338493e96 Merge pull request #1409 from tych0/setproctitle-comments
util: update setproctitle comments
2017-02-02 10:54:49 +01:00
Stéphane Graber
0b5cbe35e0 Merge pull request #1398 from geaaru/lxc-sabayon
Add LXC template script of Sabayon OS
2017-02-02 04:45:46 -05:00
Christian Brauner
091045f888
conf/ile: make sure buffer is large enough
conf.c: In function 'lxc_assign_network':
conf.c:3096:25: error: '%lu' directive output may be truncated writing between 1 and 20 bytes into a region of size 19 [-Werror=format-truncation=]
   snprintf(pidstr, 19, "%lu", (unsigned long) pid);
                         ^~~
conf.c:3096:24: note: using the range [1, 18446744073709551615] for directive argument
   snprintf(pidstr, 19, "%lu", (unsigned long) pid);
                        ^~~~~
In file included from /usr/include/stdio.h:938:0,
                 from conf.c:35:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 2 and 21 bytes into a destination of size 19
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
confile.c: In function 'network_new_hwaddrs':
confile.c:2889:38: error: '%02x' directive output may be truncated writing between 2 and 8 bytes into a region of size 6 [-Werror=format-truncation=]
  snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
                                      ^~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
  snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
                       ^~~~~~~~~~~~~~~~~~~~~~~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
In file included from /usr/include/stdio.h:938:0,
                 from confile.c:24:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 18 and 36 bytes into a destination of size 18
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Not sure whether the latter is really a problem. We might need an additional
fix later on.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-02 10:31:30 +01:00
Tycho Andersen
7d6c20f25f util: update setproctitle comments
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2017-02-02 10:30:43 +01:00
Christian Brauner
94c3f54ec6 Merge pull request #1408 from tych0/setproctitle-always-malloc
util: always malloc for setproctitle
2017-02-02 10:09:23 +01:00
Tycho Andersen
be69ad435d util: always malloc for setproctitle
Closes #1407

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2017-02-02 08:42:22 +00:00
Christian Brauner
4ce84082f0 Merge pull request #1402 from mabes/patch-1
lxc-opensuse: fix default value for release code
2017-01-30 14:52:36 +01:00
Maxime Besson
04e30e9de7 lxc-opensuse: fix default value for release code
Signed-off-by: Maxime Besson <maxime.besson@smile.fr>
2017-01-30 13:35:09 +01:00
Geaaru
74e7574120 [lxc-sabayon] Add common scripts for daily image generation.
Signed-off-by: Geaaru <geaaru@gmail.com>
2017-01-29 19:03:55 +01:00
Christian Brauner
d54d9610a0 Merge pull request #1400 from bneumeier/master
Allow build without sys/capability.h
2017-01-29 17:23:47 +01:00
Brett Neumeier
df11e022a5 Allow build without sys/capability.h
There is no guard clause around a reference to CAP_EFFECTIVE and
CAP_SETGID, causing compilation to fail if sys/capability.h is not
available.

Signed-off-by: Brett Neumeier <brett@neumeier.us>
2017-01-29 09:41:20 -06:00
Geaaru
11f88f10cd Add LXC template script of Sabayon OS
Signed-off-by: Geaaru <geaaru@gmail.com>
2017-01-28 23:22:47 +01:00
Christian Brauner
9eed569a22 Merge pull request #1397 from stgraber/master
Fix typo
2017-01-27 23:49:49 +01:00
Stéphane Graber
073000e2dc Fix typo
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-01-27 17:40:11 -05:00
Stéphane Graber
42dc0de4e3 Merge pull request #1392 from cjwatson/start-ephemeral-python32
Make lxc-start-ephemeral Python 3.2-compatible
2017-01-26 11:45:20 -05:00
Colin Watson
e0e34b7e93 Make lxc-start-ephemeral Python 3.2-compatible
On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as
follows:

    Traceback (most recent call last):
      File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user
      File "/usr/lib/python3.2/subprocess.py", line 515, in check_output
      File "/usr/lib/python3.2/subprocess.py", line 732, in __init__
    LookupError: unknown encoding: ANSI_X3.4-1968

This is because `universal_newlines=True` causes `subprocess` to use
`io.TextIOWrapper`, and in versions of Python earlier than 3.3 that
fetched the preferred encoding using `locale.getpreferredencoding()`
rather than `locale.getpreferredencoding(False)`, thereby changing the
locale and causing codecs to be reloaded.  However, `attach_as_user`
runs inside the container and thus can't rely on having access to the
same Python standard library on disk.

The workaround is to decode by hand instead, avoiding the temporary
change of locale.

Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
2017-01-26 14:32:08 +00:00
Christian Brauner
4893a4315c Merge pull request #1388 from trofi/master
Use AC_HEADER_MAJOR to detect major()/minor()/makedev()
2017-01-21 13:41:36 +01:00
Sergei Trofimovich
af6824fce9 Use AC_HEADER_MAJOR to detect major()/minor()/makedev()
Before the change build failed on Gentoo as:

  bdev/lxclvm.c: In function 'lvm_detect':
  bdev/lxclvm.c:140:4: error: implicit declaration of function 'major' [-Werror=implicit-function-declaration]
    major(statbuf.st_rdev), minor(statbuf.st_rdev));
    ^~~~~
  bdev/lxclvm.c:140:28: error: implicit declaration of function 'minor' [-Werror=implicit-function-declaration]
    major(statbuf.st_rdev), minor(statbuf.st_rdev));
                            ^~~~~

glibc plans to remove <sys/sysmacros.h> from glibc's <sys/types.h>:
    https://sourceware.org/ml/libc-alpha/2015-11/msg00253.html

Gentoo already applied glibc patch to experimental glibc-2.24
to start preparingfor the change.

Autoconf has AC_HEADER_MAJOR to find out which header defines
reqiured macros:
    https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Headers.html

This change should also increase portability across other libcs.

Bug: https://bugs.gentoo.org/604360
Signed-off-by: Sergei Trofimovich <siarheit@google.com>
2017-01-21 11:57:13 +00:00
Christian Brauner
b7329cebaf Merge pull request #1382 from evgeni/lsb-cgroupfs-mount
add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers
2017-01-12 15:38:27 +01:00
Evgeni Golov
2704c1ccdd add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers
otherwise init might try to start the containers before cgroupfs was
mounted.

Debian-Bug: https://bugs.debian.org/850212

Signed-off-by: Evgeni Golov <evgeni@debian.org>
2017-01-12 12:51:55 +01:00
Serge Hallyn
3728ed350c Merge pull request #1381 from brauner/2017-01-11/fix_volatile_containers
tools/lxc-start: remove c->is_defined(c) check
2017-01-11 10:05:32 -06:00
Christian Brauner
72c78e0e1c
tools/lxc-start: remove c->is_defined(c) check
We do not check here whether the container is defined, because we support
volatile containers. Which means the container does not need to be created for
it to be started. You can just pass a configuration file as argument and start
the container right away.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-01-11 16:20:20 +01:00
Serge Hallyn
e3cca06889 Merge pull request #1373 from brauner/2016-01-02/fix_execute_and_improve_setgroups
start: fix execute and improve setgroups() calls
2017-01-07 10:33:57 -06:00
Christian Brauner
87bf0db03d
start: check for CAP_SETGID before setgroups()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-01-07 12:50:26 +01:00