Some devices like LVM or cryptsetup entries have no stable major/minor, changing between host reboots.
In this case, hardcoded numbers are not usable in config file and there is currently no way to use hook with lxc-device to do the link at guest startup :
* `pre-start`/`autodev` hook runs in host context but has the guest in stopped state and so lxc-device not usable
* `start` hook is in running state but runs in guest context and so lxc-device not available
This patch converts fullpath in lxc.devices.allow to current major/minor numbers to address those changing numbers.
Signed-off-by: aeris <aeris@imirhil.fr>
When the running kernel supports cgroup namespaces and users want to manually
set up cgroups via lxc.hook.mount before the init binary starts the cgroup
namespace needs to be already unshared. Otherwise the view on the cgroup mounts
is wrong. This commit places the call to lxc_setup() after the
LXC_SYNC_POST_CGROUP barrier.
Before this commit, the tty fds we allocate from a fresh devpts instance in the
container's namespaces before the init binary starts were referring to the
host's cgroup namespace since lxc_setup() was called before
unshare(CLONE_NEWCGROUP). Although not a security risk at this point since
setns() restricts its calls to /proc/<self>/ns files it's still better to do it
*after* the cgroup namespace has been unshared.
Adding a Suggested-by line for the lxc.mount.hook fix for Quentin.
Closes#1597.
Suggested-by: Quentin Dufour <quentin@dufour.tk>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
In the case the container has a console with a valid slave pty file descriptor
we duplicate std{in,out,err} to the slave file descriptor so console logging
works correctly. When the container does not have a valid slave pty file
descriptor for its console and is started daemonized we should dup to
/dev/null.
Closes#1646.
Signed-off-by: Li Feng <lifeng68@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This adds a little more flexibility to the state server. The idea is to have a
command socket function "lxc_cmd_add_state_client()" whose only task is to add
a new state client to the container's in-memory handler. This function returns
either the state of the container if it is already in the requested state or it
will return the newly registered client's fd in one of its arguments to the
caller. We then provide a separate helper function "lxc_cmd_sock_rcv_state()"
which can be passed the returned client fd and listens on the fd for the
requested state.
This is useful when we want to first register a client, then send a signal to
the container and wait for a state. This ensure that the client fd is
registered before the signal can have any effect and can e.g. be used to catch
something like the "STOPPING" state that is very ephemeral.
Additionally we provide a convenience function "lxc_cmd_sock_get_state()" which
combines both tasks and is used in e.g. "lxc_wait()".
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
