Search for Lua if no --enable-lua/--disable-lua specified but continue
without if not found.
If --enable-lua is specified and Lua is not found then return error.
If --disable-lua is specified, then don't search for Lua.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When there is no --enable-lua or --with-lua-pc, Lua should not be
enabled.
This fixes a bug introduced with 12e93188 (configure/makefile:
Allow specify Lua pkg-config file with --with-lua-pc) that caused
configure script to fail if lua headers was missing.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Enable support for both Lua 5.1 and 5.2 by letting user specify the Lua
pkg-config package name. By default it will use 'lua' and try figure
out which version it is.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We use confstr to grab the default PATH value. If it's not there, just
use a standard one with bin and sbin for /, /usr and /usr/local.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
initstate/random doesn't work on bionic, srand/rand works on everything,
so let's use that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds a local ifaddrs implementation to be used on Bionic or other C
libraries that don't come with a getifaddrs implementation.
This code was written by Kenneth MacKay and is under a two-clause BSD
license (copyright information in the file headers).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix build with automake 1.14 and newer, since it requires explicit
setting now.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
It uses the newuidmap and newgidmap program to start a shell in
a mapped user namespace. While newuidmap and newgidmap are
setuid-root, lxc-usernsexec is not.
If new{ug}idmap are not available, then this program is not
built or installed. Otherwise, it will be used to support creating,
starting, destroying, etc containers by unprivileged users using
their authorized subuids and subgids.
Example:
usernsexec -m u:0:100000:1 -- /bin/bash
will, if the user is authorized to use subuid 100000, start a
bash shell in a user namespace where 100000 on the host is
mapped to root in the namespace, and the shell is running as
(privileged) root.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Define a sha1sum_file() function in utils.c. Use that in lxcapi_create
to write out the sha1sum of the template being used. If libgnutls is
not found, then the template sha1sum simply won't be printed into the
container config.
This patch also trivially fixes some cases where SYSERROR is used after
a fclose (masking errno) and missing consts in mkdir_p.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
And use it in place of the various ways we were deducing /etc/lxc/default.conf.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
configure/makefile: rename default_conf to distro_conf, since it is a per-distro
default. Then we'll be able to use the symbol LXC_DEFAULT_CONF in the code to
refer to the installed file.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This requires implementing bdev->ops->destroy() for each of the backing
store types. Then implementing lxcapi_clone(), writing lxc_destroy.c
using the api, and removing the lxc-destroy.in script.
(this also has a few other cleanups, like marking some functions
static)
Changelog:
fold into destroy: fix zfs destroy
destroy: use correct program name in help
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
implement c->reboot(c) in the api.
Also if the container is not running, return -2. Currently
lxc-stop will return 0, so you cannot tell the difference
between successfull stopping and noop.
Per stgraber's email:
- Remove lxc-shutdown
- Change lxc-stop so that:
* Default behaviour is to call shutdown(), wait 15s for STOPPED, if
not STOPPED, print a message to the user and call stop() [ NOTE:
actually 60 seconds per followup thread]
* We have a -r option to reboot the container (with proper check that
the container indeed rebooted within the next 15s)
* We have a -s option to shutdown the container without the automatic
fallback to stop()
* Add a -k option allowing a user to just kill a container
(equivalent to old lxc-stop, no shutdown() call and no delay).
and update manpages.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Add a template to create a cirros container. One great thing about
cirros is that the image you download is 3.5M.
Thanks smoser!
Note by default /etc/inittab doesn't have a /dev/console entry, so you
don't get a login on the lxc-start console. Adding
console::respawn:/sbin/getty 115200 console
makes that work, but ctrl-c still gets forwarded to init which then
reboots. So I didn't bother adding console as part of the template
(yet). Instead I simply lxc-start -d, then lxc-console.
Signed-off-by: Scott Moser <scott.moser@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. commonize waitpid users to use a single helper. We frequently want
to run something in a clean namespace, or fork off a script. This
lets us keep the function doing fork:(1)exec(2)waitpid simpler.
2. start a blockdev backend implementation. This will be used for
mounting, copying, and snapshotting container filesystems.
3. implement btrfs, lvm, directory, and overlayfs backends.
4. For overlayfs, support a new lxc.rootfs format of
'bdevtype:<extra>'. This means you can now use overlayfs-based
containers without using lxc-start-ephemeral, by using
lxc.rootfs = overlayfs:/readonly-dir:writeable-dir
5. add a set of simple clone testcases
6. Write a new lxc_clone.c based on api clone.
Still to do (there's more, but off top of my head):
1. support zfs, aufs
2. have clone handle other mount entries (right now it only clones
the rootfs)
3. python, lua, and go bindings (not me :)
4. lxc-destroy: if lvm backing store, check for snapshots of it.
(what about directories which have overlayfs clones?)
Changes since v2:
Initialize random generator when picking new macaddr (reported
by caglar@10ur.org)
Fix wrong use of bitmask flags
On copy-clone of btrfs, create a subvolume
lxc_clone.c: respect the command line usage of the old script
lxc-clone(1): update documentation
Refuse to try changing backing stores expect to overlayfs, as
it is not implemented (yet) anyway.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Conflicts:
src/lxc/utils.h
Commit 69fe23ff added checking for the older docbook2man back into
configure, but this breaks building the docs on at least Oracle Linux and
Fedora when docbook2X is not installed as docbook2man will be found but the
docs don't actually build with that tool.
This change makes it so the docs can be built with either the older
docbook2man or the newer 2X tools by using configure to set the dtd
string to an appropriate value depending on use of docbook2man or
db2x_docbook2man.
Also fixed a small error in lxc-destroy.sgml.in that was noticed
by the old tools.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This adds docbook2man as an alternative name for the docbook compiler.
As that name was used on Debian based systems for an older version of the tool,
this change also adds a check so that docbook2man is never used on Debian based
systems.
Reported-by: Peter Simons <simons@cryp.to>
Reported-by: Christian Bühler christian@cbuehler.de
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When we install lxc by manual (configure; make; make install),
all files are installed under /usr/local/. Configuration files
and setting files of containers are stored under /usr/local/ too,
however, only log files are stored under /var/log/ not
/usr/local/var/log.
This patch changes the default log path to $localstatedir/log/lxc
(by default $localstatedir is /usr/local/var) where is an ordinary
directory, which is probably expected and unsurprising.
Signed-off-by: Ryota Ozaki <ozaki.ryota@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Debian 5.0 Lenny turned out of support on the 6th of February 2012.
From now on, the only supported Debian template is lxc-debian.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The python api test script was using @LXCPATH@ for one of its checks.
Now that the lxcpath is exposed by the lxc python module directly, this
can be dropped and api_test.py can now become a simple python file without
needing pre-processing by autoconf.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
got link error liblxc.so: undefined reference to `clock_gettime'
clock_gettime is used by lxclock.c and is in librt, or bionic libc.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We've been shipping those two hooks for a while in Ubuntu.
Yesterday I reworked them to use the new environment variables and
avoid hardcoding any path that we have available as a variable.
I tested both to work on Ubuntu 13.04 but they should work just as well
on any distro shipping with the cgroup hierarchy in /sys/fs/cgroup and
with ecryptfs available.
Those are intended as example and distros are free to drop them, they
should however be working without any change required, at least on Ubuntu.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Use AC_SEARCH_LIBS to detect what library provides sem_*.
This allows us to stop hardcoding the ld arguments in the various MakeFiles.
Suggested-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Replace deprecated AM_CONFIG_HEADER with AC_CONFIG_HEADERS.
This is needed for automake-1.13.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also fix some tabs-as-spaces in lxc_unshare.c itself.
lxc-unshare: run usage() on '-h'
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
And doing so pointed out a bug in lxc-clone itself - it claims
default fssize is 2G. It's not.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
As discussed earlier this week, lxc-setcap and lxc-setuid have been
in pretty bad shape lately. Most if not all distros recommend against
using them or don't ship them at all.
With the ongoing work to get user namespaces working in upstream LXC,
we think it's best to drop those two now as we prepare to land proper
setuid helpers to deal with user namespaces.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Here is a patch to introduce a configurable system-wide
lxcpath. It seems to work with lxc-create, lxc-start,
and basic python3 lxc usage through the api.
For shell functions, a new /usr/share/lxc/lxc.functions is
introduced which sets some of the basic global variables,
including evaluating the right place for lxc_path.
I have not converted any of the other python code, as I was
not sure where we should keep the common functions (i.e.
for now just default_lxc_path()).
configure.ac: add an option for setting the global config file name.
utils: add a default_lxc_path() function
Use default_lxc_path in .c files
define get_lxc_path() and set_lxc_path() in C api
use get_lxc_path() in lua api
create sh helper for getting default path from config file
fix up scripts to use lxc.functions
Changelog:
feb6:
fix lxc_path in lxc.functions
utils.c: as Dwight pointed out, don't close a NULL fin.
utils.c: fix the parsing of lxcpath line
lxc-start: print which rcfile we are using
commands.c: As Dwight alluded to, the sockname handling was just
ridiculous. Clean that up.
use Dwight's recommendation for lxc.functions path: $datadir/lxc
make lxccontainer->get_config_path() return const char *
Per Dwight's suggestion, much nicer than returning strdup.
feb6 (v2):
lxccontainer: set c->config_path before using it.
convert legacy lxc-ls
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This will soon be followed by the introduction of a "real" system wide
/etc/lxc/lxc.conf storing global LXC settings.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The lua binding is based closely on the python binding. Also included are
a test program for excercising the binding, and an lxc-top utility for
showing statistics on running containers.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Until now, if a lxc-* (i.e. lxc-start) command did not specify a logfile
(with -o logfile), the default was effectively 'none'. With this patch,
the default becomes a per-container log file.
If a container config file specifies 'lxc.logfile', that will override
the default. If a '-o logfile' argument is specifed at lxc-start,
then that will override both the default and the configuration file
entry. Finally, '-o none' can be used to avoid having a logfile at
all (in other words, the previous default), and that will override
a lxc.logfile entry in the container configuration file.
If the user does not have rights to open the default, then 'none' will
be used. However, in that case an error will show up on console. (We
can work on removing that if it annoys people, but I think it is
helpful, at least while we're still ironing this set out) If the user
or container configuration file specified a logfile, and the user does
not have rights to open the default, then the action will fail.
One slight "mis-behavior" which I have not fixed (and may not fix) is
that if a lxc.logfile is specified, the default logfile will still
get created before we read the configuration file to find out there
is a lxc.logfile entry.
changelog: Jan 24:
add --enable-configpath-log configure option
When we log to /var/lib/lxc/$container/$container.log, several things
need to be done differently than when we log into /var/log/lxc (for
instance). So give it a configure option so we know what to do
When the user specifies a logfile, we bail if we can't open it. But
when opening the default logfile, the user may not have rights to
open it, so in that case ignore it and continue as if using 'none'.
When using /var/lib/lxc/$c/$c.log, we use $LOGPATH/$name/$name.log.
Otherwise, we use $LOGPATH/$name.log.
When using /var/lib/lxc/$c/$c.log, don't try to create the log path
/var/lib/lxc/$c. It can only not exist if the container doesn't
exist. We don't want to create the directory in that case. When
using /var/log/lxc, then we do want to create the path if it does
not exist.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The logfile changes broke lxc-info and possibly more command line
tools. Revert for now until we get those issues addressed.
This reverts commit 74476cf144.
[ Thanks to Stéphane and Dwight for the feedback on the previous patch ]
Until now, if a lxc-* (i.e. lxc-start) command did not specify a logfile
(with -o logfile), the default was effectively 'none'. With this patch,
the default becomes $LOGPATH/<container>/<container>.log. LOGPATH is
specified at configure time with '--with-log-path='. If unspecified, it
is $LXCPATH, so that logs for container r2 will show up at
/var/lib/lxc/r2/r2/log. LOGPATH must exist, while lxc will make sure to
create $LOGPATH/<name>. As another example, Ubuntu will likely specify
--with-log-path=/var/log/lxc (and place /var/log/lxc into
debian/lxc.dirs), placing r2's logs in /var/log/lxc/r2/r2.log.
If a container config file specifies 'lxc.logfile', that will override
the default. If a '-o logfile' argument is specifed at lxc-start,
then that will override both the default and the configuration file
entry. Finally, '-o none' can be used to avoid having a logfile at
all (in other words, the previous default), and that will override
a lxc.logfile entry in the container configuration file.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous implementation of the openpty check was always returning
'no' as openpty is typically defined in util.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
The Python.h header varies in location by distribution, so instead use
pkg-config to ensure the python3 devel package is installed. Tested with
Ubuntu 12.04 and Fedora 17. Fixes --enable-python on Fedora 17.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Bionic (at least) is missing some of the usual mntent functions.
This adds code defining those that we need when they're missing from the C
library.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds code detecting the presence of utmpx.h and in its absence, turns the
utmp related functions into no-ops.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Some libc implementation (bionic) is lacking some of the syscall functions
that are present in the glibc.
For those, detect at build time the they are missing and implement a minimal
syscall() wrapper that will essentially give the same result as the glibc
function.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Some platforms don't have personality.h in their C library, this change
adds buildtime detection for the header and turns off the personality setting
code in those cases.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In the effort to make LXC work with non-standard Linux distros, this change
allows for the user to build LXC without capability support through a new
--disable-capabilities option to configure.
This effectively will cause LXC not to link against libcap and will turn all
the _cap_ functions into no-ops.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
bionic is missing an openpty() function, so ship our own and only
build it and use it on bionic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Some libc implementations don't have the getline function but instead
have an equivalent fgetln function.
Add code to detect both and use whatever is available.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit doesn't do any functional change to configure.ac but does a fair
amount of cleaning up.
It re-orders the various blocks by type (options, checks, expands, ...).
It also consistently uses tabs for indents.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds a new IS_BIONIC define that can be used to detect whether we are
building with eglibc or with bionic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Switch the python scripts to using @LXCPATH@.
According to grep, this was the last occurence of a /var/*/lxc
path in the code.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Use LOCALSTATEDIR to generate the path to the cache.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Re-introduce the old lxc-ls script and manpage under a new legacy
sub-directory.
Those will be installed in place of their python equivalent when LXC
is built without --enable-python.
Any other script ported to python should be added to those lists.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This rewrite is mostly compatible with the shell version.
--active and -1 still work and behave as they used to.
This adds --running, --stopped and --frozen as state filters.
A new "fancy" view is also implemented (can be used with --fancy) and
will show containers in a column-based interface with the following fields:
- name
- state
- ipv4
- ipv6
- pid of init
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-ubuntu no longer uses any build time variables, therefore it can
now be simply copied to the target without any autoconf magic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
docbook2x-man doesn't have the same name on Debian based systems as
on RedHat based systems, add some magic to configure.ac to detect and
substitute the proper name in Makefile.am
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Set automake's flags to -Wall -Werror as well as the general
CFLAGS to -Wall and -Werror when building using gcc.
This should catch any regression on build warnings now that we are in
a pretty clean state.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes lxc-sshd still referring to '${libdir}'.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This allows a distro to put the distro specific default network
configuration (for example bridge device, link type), or other lxc
configuration in the case that -f is not passed by the user to
lxc-create, in which case lxc-create will use the distro conf file as
the basis for the containers config.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is a new template to create containers based on Oracle Linux. A version
such as 5.8, 6.3, or 6.latest can be specified with -R in which case a rootfs
will be created from rpms downloaded from the Oracle public-yum repo.
Alternatively the path to an existing rootfs of Oracle 5 or 6 may be given to
the template with the -t option.
The architecture of the downloaded rpms installed in the container can be
specified with the -a template option.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
The previous commit was missing part of the changes, leading to a non-working
version of lxc-start-ephemeral.
This commit adds the missing parts.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Add a new --enable-tests option to configure which is used to
optionally build the tests/examples. Default is off.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This adds a basic python binding done in C and a python overlay to
extend some features and provide a user-friendlier API.
This python API only supports python 3.x and was tested with >= 3.2.
It's disabled by default in configure and can be turned on by using
--enable-python.
A basic example of the API can be found in src/python-lxc/test.py.
More documentation and examples will be added soon.
This turns liblxc into a public library implementing a container structure.
The container structure is meant to cover most LXC commands and can easily be
used to write bindings in other programming languages.
More information on the new functions can be found in src/lxc/lxccontainer.h
Test programs using the API can also be found in src/tests/
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Hi,
This patch is so far just a proof of concept. The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.
This patch introduces support for seccomp to lxc. Seccomp lets a program
restrict its own (and its children's) future access to system calls. It
uses a simple whitelist system call policy file. It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).
I just wanted to get this out there as a first step. You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
lxc-start-ephemeral.in ended up in configure.ac as a result of the
cherry-pick. This new tool hasn't been pulled in yet.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
RPM doesn't like "-" in the version number and gives:
"error: line 24: Illegal char '-' in: Version: 0.8.0-rc2"
Other packages (bind-utils for example) have used . instead
of - as a seperator.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
configure.ac used to set the template path to /usr/share/lxc/templates.
Instead use ${datadir} to make it follow ${prefix}.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This could be done as generic 'lsm_init()' and 'lsm_load()' functions,
however that would make it impossible to compile one package supporting
more than one lsm. If we explicitly add the selinux, smack, and aa
hooks in the source, then one package can be built to support multiple
kernels.
The smack support should be pretty trivial, and probably very close
to the apparmor support.
The selinux support may require more, including labeling the passed-in
fds (consoles etc) and filesystems.
If someone on the list has the inclination and experience to add selinux
support, please let me know. Otherwise, I'll do Smack and SELinux.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
It optionally waits (an optional timeout # of seconds) for the container to
be STOPPED. If given -r, it reboots the container (and exits immediately).
I decided to add the timeout after all because it's harder to finagle into
an upstart post-stop script than a full bash script.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
__NR_setns is defined in the Linux kernel headers in linux/unistd.h.
The full Linux kernel sources are not necessary for compilation.
Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This is a new template to create containers based on the ubuntu
cloud images, rather than using debootstrap.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
## 0001-Replace-pkglib_PROGRAMS-with-pkglibexec_PROGRAMS.patch [diff]
From 95c566740bba899acc7792c11fcdb3f4d32dcfc9 Mon Sep 17 00:00:00 2001
From: Jon Nordby <jononor@gmail.com>
Date: Fri, 10 Feb 2012 11:38:35 +0100
Subject: [PATCH] Replace pkglib_PROGRAMS with pkglibexec_PROGRAMS
Without this change, autogen.sh fails with automake 1.11.3
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch fixes some makefile/specfile issues when running
rpmbuild with the distributed lxc specfile:
- fixes usage of installation directories for config files,
rootfs, templates and lxc-init so that they're calculated
at make time instead of configure time. Thanks to this,
all installed items go under $RPM_BUILD_ROOT when running
rpmbuild
- introduce --disable-rpath option to configure to avoid
check-rpaths errors when building non-root.
- introduce a lxc-libs package in the default spec file
to allow concurrent installation of 32 bit and 64 bit
libraries.
v2: - fix circular reference in lxc.pc
- ship lxc.pc with lxc-devel
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The good news is, starting with next openSUSE release (and next SLES 11
Service Pack), patching /etc/init.d/boot won't be needed anymore for
LXC, we integrated detection of LXC (through container variable set to
lxc) in /etc/init.d/boot and /dev is no longer mounted automatically by
initscript.
Signed-off-by: Frederic Crozat <fcrozat@suse.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu'
template.
Add support for specifying architecture.
Add support for '--trim|-x' option, which removes services like the lucid
template used to. This creates smaller, faster-booting containers, but they
will not be safe with certain upgrades, like mountall or udev. When -x is
not specified for lucid or maverick container, then install lxcguest from
the ubuntu-virt ppa, since it does not exist in the official archives, and
the container is not safe to boot without lxcguest.
Add support for '--bindhome <user>' option, which will cause /home/<user>
to be bind-mounted into the container, and create the user with his
original password, shell, and group memberships in the container.
changelog:
june 23:
lxc-ubuntu template: set lxc.arch in config
install lxcguest when NOT trimming the container
lxc-ubuntu: always install lxcguest in postprocess
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Create an lxc-clone script to clone containers. It should probably
be factored into helpers and then enhanced, in particular to convert
between LVM and non-LVM containers, create non-snapshot LVM clones,
support loopback devices, and, when stable enough, to use
overlayfs, btrfs, etc.
But this is a start.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rename 'ubuntu' template to 'lucid'
Add new maverick and natty templates, which do much less tweaking
of the environment. These should only be used on a kernel which
supports sysfs tagging for /sys/class/net, as udev will be running
in the container.
The natty template needed to slightly change the installed packages
for dhclient to be correclty installed.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Some file systems do not support the file posix capabilities.
The following script set the setuid bit root on the different
cli.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
At present the lxc-{template} scripts are installed in the $bindir.
This is not the right place as specified by the FHS, so they go to
$libdir/lxc/templates.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Ubuntu [lucid] template script.
Allows to create an ubuntu container with the template options.
Signed-off-by: Willem Meier <wilhelm.meier@fh-kl.de>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As specified by FHS:
/usr/lib includes object files, libraries, and internal binaries that
are not intended to be executed directly by users or shell scripts.
Applications may use a single subdirectory under /usr/lib. If an
application uses a subdirectory, all architecture-dependent data
exclusively used by the application must be placed within that
subdirectory.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Previous path was $libdir/lxc, changed to $libdir/lxc/rootfs.
Added a README file to be placed in this directory, describing
the purpose of this empty directory. Having a file to be installed
in this directory makes the Makefile to automatically create the
directory at install time.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
capabilities are reseted just after the filesystem is mounted.
lxc_setup_fs() is moved up, before the process is forked.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Add a configure option to set a mount point path when using a rootfs,
that will replace the actual behavior which creates uneeded /tmp/lxc**
directories.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-kill send a signal to the process 1 of the container.
If this command is used on an application container ran by
lxc-execute, the lxc-init will receive the signal and will forward it to
the process 2 which is the command specified in the command line.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com>
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rename doc/examples/lxc-complex-config.in to lxc-complex.conf.in as all other
examples in this directory have a .conf ending as well.
Signed-off-by: Michael Holzt <lxc@my.fqdn.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The future kernel 2.6.33 will incorporate the macvlan bridge
mode where all the macvlan will be able to communicate if they are
using the same physical interface. This is an interesting feature
to have containers to communicate together. If we are outside of the
container, we have to setup a macvlan on the same physical interface than
the containers and use it to communicate with them.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This adds ability to migrate vlan interfaces into namespaces
by specifying them in a config
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Update the man pages regarding the modifications around the
configuration option, volatile containers and new configuration
file format.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Maybe it will be more logical to keep configs into /etc/lxc/?
Or, maybe, just use --with-config-path=/some/path switch into configure,
which could be overridden as user wants to? Something like this one (in
assumption, that this is up to user to create corresponding directory):
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Patch moves etc/* contents into doc/examples/ and adds
--disable-examples configure switch which may be used not to install
examples. Default is to install them into ${docdir}/examples (commonly:
/usr/share/doc/lxc/examples)
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The simplification of the container configuration makes
pointless to have so much complexity in the container creation.
Let's remove that and replace by some scripts.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
I changed the code to have lxc version to reflect the
string set in AC_INIT of configure.ac
rather than to report only the 3 first digits
update: use PACKAGE_VERSION in place of VERSION
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Andrian Nord <NightNord@gmail.com>:
>> > > As documentation requires docbook2man to be installed, which is not,
>> > > otherwise, required for proper LXC work or compilation process, it
>> > > might be usefull to be able to switch it off.
Michel Normand <normand@fr.ibm.com>:
> > For me, it is Ok to add a --enable/disable/-doc,
> > but not make configure to fail if no option specified
> > and no docbook2man package.
> >
> > For me it should be optionnal.
> > I like the current behaviour where configure is running without option
> > and is enabling/disabling by itself the doc building.
> > Could you send a new patch with this idea ?
Andrian Nord <NightNord@gmail.com>:
Of course. You mean, that you what default behaviour to remain
auto-detection? That is:
--enable-doc: require docbook2man or fail, generate mans
--enable-doc=auto, or not specified (default): check for docbook2man,
generate mans if found, silently ignore if not found (I suppose
diagnostic message is redundant, as information already contains into
./configure --help)
--disable-doc: never check for docbook2man and don't gen mans
Here comes a patch what do this, as far as I see
(I'm sorry for violating post-rules in previous mail, now I'll do all
right, I hope. Should I attach patch anyway, as it might be usefull
for applying?)
Signed-off-by: Andrian Nord <NightNord@gmail.com>
Acked-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This is useless in a Linux only environment. The .so version is
the version of the package.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Instead of passing the LXCPATH definition in the compiler
command line, use configure.ac to define the value in the config.h
file and include this file where it is needed.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
These tests are not relevant now. It would be better to write
some real test cases with some script using the lxc cli in order
to check non regression.
I remove these annoying tests I have to port each time a function
prototype is changed.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
With some versions of the compiler/headers linux/netlink.h won't compile
if sys/socket.h is defined before it.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Guido Trotter <ultrotter@quaqua.net>
Ship the manpages in the source tarball made by 'make dist', and clean
them up only during the 'make maintainer-clean' step. This allows
distributions not to depend on docbook at lxc build time, because the
manpages are already there.
Also update the configure warning message to sound less scary.
Signed-off-by: Guido Trotter <ultrotter@quaqua.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This was a leftover from the already-removed
network-destruction-on-container shutdown code.
Signed-off-by: Guido Trotter <ultrotter@quaqua.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
"netlink headers not found" implicitely means we have to install the
kernel headers. Make this explicit.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Probably a mention to libcap-2 is worth keeping, though it might be
clearer to point to setcap binary directly.
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rationale: some distributions don't include /sbin in PATH for regular
users, thus setcap might not be found during configure
Signed-off-by: Filippo Giunchedi <filippo@esaurito.net>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
The capability.h header is broken on fedora 11.
The workaround is to include <sys/types.h> before <sys/capability.h>.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Rename lxc-config to lxc-version in order to avoid the confusion
with what looks like a container configuration tool.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
As we have the correct informations with pkg-config we can
write a script which will collect the informations and we get
rid of the C program.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the common options of lxc commands
are now described in one file "common_options.sgml.in"
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
the common references to lxc man pages
are now placed in one file "see_also.sgml.in"
Note that the few man pages that refer to man
pages that are not lxc ones have two "See Also" paragraph.
Signed-off-by: Michel Normand <normand@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When no tty number is specified in the command line,
let the tty service to provide choose one available
tty and provide this one.
The documentation is updated wrt this modification and
I did a little fix to generate the date of the documentation.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
