- move action() from common to sysvinit wrapper since its only really
applicable for sysvinit and not the other init systems
- fix bug in action() fallback, need to shift away msg before executing action
- make lxc-net 98 so it starts before lxc-container (99), otherwise the lxcbr0
won't be available when containers are autostarted
- make the default RUNTIME_PATH be /var/run instead of /run. On older
distros (like ol6.5) /run doesn't exist. lxc-net will create this directory
and attempt to create the dnsmasq.pid file in it, but this will fail when
SELinux is enabled because the directory will have the default_t type.
Newer systems have /var/run symlinked to /run so you get to the same place
in that case.
- add %postun to remove lxc-dnsmasq user when pkgs are removed
- fix bug in lxc-oracle template that was creating /var/lock/subsys/lxc as
a dir and interfering with the init scripts
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Mounting cgroup:mixed prevents systemd inside the container from
moving its children out of the cgroups lxc setup. This ensure the
limits setup in the configuration or with lxc-cgroup are effective.
- Update for the OL7 channel name that will be used on
public-yum.oracle.com.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a fix to commit 5f2ea8cfcb.
Sorry, not sure how I missed this in testing the original patch.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Don't spawn a getty on /dev/console when running under libvirt-lxc
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- Some scriptlets expect fstab to exist so create it before doing the
yum install
- Set the rootfs selinux label same as the hosts or else the PREIN script
from initscripts will fail when running groupadd utmp, which prevents
creation of OL4.x containers on hosts > OL6.x.
- Move creation of devices into a separate function
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This makes it so that the host doesn't need to have an old, compat
version of db43_load installed by using the db_load from the just
installed container. Some newer distributions do not even have an old
enough compat-db4 package available.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
With this change, you can install a container from a mounted .iso, or any
yum repo with the necessary packages. Unlike the --url option, the repo
does not need to be a mirror of public-yum, but the arch and release must
be specified. For example to install OL6.5 from an .iso image:
mount -o loop OracleLinux-R6-U5-Server-x86_64-dvd.iso /mnt
lxc-create -n OL6.5 -t oracle -- --baseurl=file:///mnt -a x86_64 -R 6.5
The template will create two yum .repo files within the container such that
additional packages can be installed from local media, or the container can
be updated from public-yum, whichever is available. Local media must be bind
mounted from the host onto the containers' /mnt for the former .repo to work:
mount --bind /mnt $LXCPATH/OL6.5/rootfs/mnt
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
oracle-template: Split patching rootfs vs one time setup into separate
shell functions so the template can be run with --patch.
oracle-template: Update to install the yum plugin and itself (as lxc-patch)
into a container. The plugin just runs lxc-patch --patch <path> so it is
fairly generic, but in this case it is running a copy of the template inside
the container.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Without enabling INCLUDE_SUSv2 in busybox, we need to use head's -n argument,
rather than -#.
Signed-off-by: Christopher Larson <kergoth@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- [[ ]] -> [ ]
- == -> =
- source -> .
- redirect of fd 200 is error in mksh, use fd 9
- &> /dev/null -> > /dev/null 2>&1
- useless function keyword
- echo -e -> printf
still left bash shebang which did not validate with checkbashism, mostly
due 'type' being reported as bashism
Signed-Off-By: Elan Ruusamäe <glen@delfi.ee>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This allows the boot messages to be seen which are useful for monitoring
container startup.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is needed when using the user namespace since the kernel check does
not allow user_ns root to successfully call vhangup(2), and mingetty will
quit in this case.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Note that since we don't drop CAP_SYS_ADMIN, root in the container can
remount proc or sys however they want to, however this at least improves
the default situation.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Currently, a maximum of one LSM within LXC will be initialized and
used. If in the future stacked LSMs become a reality, we can support it
without changing the configuration syntax and add support for more than
a single LSM at a time to the lsm code.
Generic LXC code should note that lsm_process_label_set() will take
effect "now" for AppArmor, and upon exec() for SELinux.
- fix Oracle template mounting of proc and sysfs, needed when using SELinux
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
sem_open(3) checks that /dev/shm is SHMFS_SUPER_MAGIC. Normally /dev/shm
is mounted in the initramfs created by dracut, but that won't be run for
a container so make sure that rc.sysinit mounts /dev/shm.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix lxc-create to not word split template arguments. This makes
lxc-create -n ol -t oracle -- -r "at cronie wget" work since the argument
to -r will be passed as one arg instead of three.
Fix oracle template -u option to shift the correct amount.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This fixes some issues found by Oracle QA, including several cosmetic
errors seen during container bootup.
The rpm database needs moving on Debian hosts similar to on Ubuntu.
I took Serge's suggestions: Do the yum install in an unshared
mount namespace so the /proc mount done during OL4 install doesn't
pollute the host. No need to blacklist ipv6 modules.
Make the default release 6.3, unless the host is OL, then default
to the same version as the host (same as Ubuntu template does).
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
rpm on ubuntu puts the rpm db under $HOME, which wont be /root if
sudo is used
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
A quick scan through the code showed that lxc-oracle.in is the only
file in the branch containing trailing whitespaces, this clears them.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
OL6 uses upstart init and needs a handler for the SIGPWR that
lxc-shutdown sends it so that a container can shut down cleanly.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also: disable the interactive part of ovmd so ol5,6 containers won't
hang if started for the first time with -d. Don't let containers do rawio,
or have access to /dev/rtc0, they can mess up the hosts system clock among
other things.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Move to per-template lock (except for oracle that's per-container).
Also ensure that the path used for the lock is relative to LOCALSTATEDIR.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit updates all scripts using mixed indent to a consistent
4 spaces indent.
In the past quite a few of those scripts used tabs to instead of 8 spaces or
instead of 4 spaces, sometimes mixing those in the same line and sometimes
changing the tab width within the same file.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates all the templates and the configuration files to consistently
use "key = value" everywhere.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Let oracle template work when host is fedora or oracle and the lsb_release
command is not present. Verify the arch given is valid. Don't add lxc.network
section again if already present.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
