Instead of re-defining MS_ options all over the place, just revert the
last change to bdev.h so we have all the defines in there again.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Commit 37cf711b added a destroy hook, but when it checks
at destroy time whether that hook exists, it assumes that
c->lxc_conf is good. In fact lxc_conf can be NULL, so check
for that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We use the right path when actually execing criu to checkpoint and restore, but
when checking versions we didn't. Let's use the right path.
Reported-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
and don't use it if not. This fixes failure to build with older
cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
commit 507cee3618 moved the close and re-open of fds 0-2 into
do_start. But this means that the lxc monitor itself keeps the
caller's fds 0-2 open, which is wrong for daemonized containers.
Closes#548
Reported-by: Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We were using 'all' controller if current was in all the
same cgroup. That doesn't suffice. We'd have to check
the target. At that point we may as well just attach
controller by controller.
An optimization to consider is to check the /proc/initpid/cgroup
for all identical controllers. Let's start by just getting it
right.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When restoring, we didn't clean up the pidfile that criu uses to pass us the
init pid on error or success; let's do that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Until we bump the SONAME to liblxc2, only symbol additions and struct
member additions are allowed.
Adding struct members in the middle of the struct breaks backward
compatibility.
This commit makes it clear when struct members were added and moves a
few members that were added in the middle of the 1.0 struct to the end
of it.
Note that unfortunately that means we're breaking backward compatibility
between LXC 1.1.0 and the state after this commit, given 1.1 is
reasonably new, this is the least damaging way of fixing the problem.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Current aufs supports FS_USERNS_MOUNT by using allow_userns module
parameter. It allows root in userns to mount aufs.
This patch allows an unprivileged container to use aufs. The value of
xino option is changed to /dev/shm/aufs.xino that an unpriv user can
write.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
(I erred in the first patch, causing every lxc-attach to unmount the
container-'s /proc)
Since we now use mount_proc_if_needed() from attach, as opposed to only
from start, we cannot assume we are pid 1. So fix the check for whether
to mount a new proc.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
To set lsm labels, a namespace-local proc mount is needed.
If a container does not have a lxc.mount.auto = proc set, then
tasks in the container do not have a correct /proc mount until
init feels like doing the mount. At startup we handlie this
by mounting a temporary /proc if needed. We weren't doing this
at attach, though, so that
lxc-start -n $container
lxc-wait -t 5 -s RUNNING -n $container
lxc-attach -n $container -- uname -a
could in a racy way fail with something like
lxc-attach: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to change apparmor profile to lxc-container-default
Thanks to Chris Townsend for finding this bug at
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1452451
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
On certain systems, some binaries needed by the container features (dropbear,
openssh), may be placed in non-standard (aka non-distribution-managed
locations), such as /usr/local/*, /opt/local/*, etc. Don't copy the respective
binaries in the container and return a clear error why.
The user should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.
v2:
- check that binary paths adhere to /{,usr/}{,s}bin only
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Currently, when installing OpenSSH in a Busybox container, the template searches
for all the OpenSSH client binaries available in the Debian distro package. The
included tools might differ from distro to distro, so make part of the tools
optional. The mandatory tools, without which installing OpenSSH fails, are
"sshd" for the server and "ssh" and "scp" for the client.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Add the description about displaying the value of wait delays for -L
option
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
to populate the list of subsystems to use.
Cgmanager can be started with some subsystems disabled (i.e.
cgmanager -M cpuset). If lxc using cgmanager then uses the
/proc/self/cgroup output to determine which controllers to use,
it will fail when trying to do things to cpuset. Instead, ask
cgmanager which controllers to use.
This still defers (per patch 1/1) to the lxc.cgroup.use values.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Doing this requires some btrfs functions from bdev to be used in
utils.c Because utils.h is imported by lxc_init.c, I had to create
a new initutils.[ch] which are used by both lxc_init.c and utils.c
We could instead put the btrfs functions into utils.c, which would
be a shorter patch, but it really doesn't belong there. So I went
the other way figuring there may be more such cases coming up of
fns in utils.c needing code from bdev.c which can't go into lxc_init.
Currently, if we detect a btrfs subvolume we just remove it. The
st_dev on that dir is different, so we cannot detect if this is
bound in from another fs easily. If we care, we should check
whether this is a mountpoint, this patch doesn't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
In setup where we want to sniff with an IDS from inside a container
we can use the 'passthru' mode of macvlan. This was not accessible
from the config and this patch fixes the issue.
Signed-off-by: Eric Leblond <eric@regit.org>
When running in posix mode (for example, because it was invoked as `sh`,
or with the --posix option), bash rejects the function names previously
used because they contain hyphens, which are not legal POSIX names, and
exits immediately.
This is a particularly serious problem on a system in which the
following three conditions hold:
1. The `sh` executable is provided by bash, e. g. via a symlink
2. Gnome Display Manager is used to launch X sessions
3. Bash completion is loaded in the (system or user) profile file
instead of in the bashrc file
In that case, GDM's Xsession script (run with `sh`, i. e., bash in posix
mode) sources the profile files, thus causing the shell to load the bash
completion files. Upon encountering the non-POSIX-compliant function
names, bash would then exit, immediately ending the X session.
Fixes#521.
Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>
The lxc-debian template debootstraps a minimum debian system which does not contain dbus.
If systemd is used this will result in getty-static.service to be used instead of getty@ .
The systemd default files uses 6 tty's instead of the 4 the script creates.
This will lead to repeated error messages in the systemd journal.
Signed-off-by: Cyril Bitterich <Cyril.Bitterich@1und1.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
AppArmor ships /lib/apparmor/profile-load. /lib/init/apparmor-profile-load is
merely a wrapper which calls the former, so just call it directly to avoid the
dependency on the wrapper.
LP: #1432683
We need to use lxc_list_for_each_safe, otherwise de-allocation
will fail with a list size bigger than 2. The pointer to the head
of the list also need freeing after we've freed all other elements
of the list.
Signed-off-by: Kien Truong <duckientruong@gmail.com>
Add a function to sort the cgroup settings before applying.
Currently, the function will put memory.memsw.limit_in_bytes after
memory.limit_in_bytes setting so the container will start
regardless of the order specified in the input. Fix#453
Signed-off-by: Kien Truong <duckientruong@gmail.com>
