/dev/shm must be turned from a directory into a symlink to /run/shm.
The templates do this only if they find -d $rootfs/run/shm. Since /run
will be a tmpfs, checking for it in the rootfs is silly. It also is
currently broken as ubuntu cloud images have an empty /run.
(this should fix https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1353734)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix btrfs support when lxc-create does not bind-mount the rootfs.
Signed-off-by: José Martínez <xosemp@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Try to create the cache rootfs as a btrfs subvolume, and use btrfs
snapshots to copy the rootfs if btrfs is selected as backing store.
Signed-off-by: José Martínez <xosemp@gmail.com>
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This makes the ubuntu and ubuntu-cloud templates automatically aware of apt
proxy settings when the LXC host has "squid-deb-proxy-client" installed. This
makes installations *much* faster when a suitable squid-deb-proxy is
found on the network (or installed on the host).
Signed-off-by: Chris Glass <tribaal@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- [[ ]] -> [ ]
- == -> =
- source -> .
- redirect of fd 200 is error in mksh, use fd 9
- &> /dev/null -> > /dev/null 2>&1
- useless function keyword
- echo -e -> printf
still left bash shebang which did not validate with checkbashism, mostly
due 'type' being reported as bashism
Signed-Off-By: Elan Ruusamäe <glen@delfi.ee>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This moves vim back to the default list of packages, drops the duplicate
ssh entry which means that unless extra packages are passed through
--packages, container creation won't invoke apt-get anymore.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Otherwise one cannot create two containers with different releases
(let's say saucy [cached] and raring [not caced]) if both are not
cached on the local filesystem already. The lock blocks cached
one to move forward until not cached one finishes it's downloads.
Fix that by seperating locks using release names
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This introduces a new /usr/share/lxc/config directory containing common
configuration snippets.
The two Ubuntu templates are then simplified to just include the
relevant entries avoiding a whole lot of hardcoded cgroup, capabilities
and mount points configuration.
An extra comment is also added at the top of all generated configuration
files telling the user to look at lxc.conf(5) for more information.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds the same code to the Debian-based templates (Ubuntu and Ubuntu
Cloud) and also avoids a needless fork.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
THe recent reorg of lxc-ubuntu introduced some package installation in
post-process but without first disabling service startup.
As a result, if the cache is a bit out of date and a ssh update is
available, post-process will apply that update (as it does apt-get
install ssh vim) which in turn will attemp to start sshd. This will
either lead to ssh on the host being restarted or if there's no sshd on
the host, will fail the container creation as the postinst will get an
error from upstart.
The fix is very simply to add the same policy-rc.d trick when running
post-process.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This adds support for "packages", "user" and "password"
Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Container trimming is a bad idea in general, Ubuntu since 12.04 allows
standard systems to run in containers and we've got separate code to
deal with 10.04, so let's just drop trim.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Otherwise user-namespace containers will hang on mountall.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The debugfs, fusectl, and securityfs may not be mounted inside a
non-init userns. But mountall hangs waiting for them to be
mounted. So just pre-mount them using $lxcpath/$name/fstab as
bind mounts, which will prevent mountall from trying to mount
them.
If the kernel doesn't provide them, then the bind mount failure
will be ignored, and mountall in the container will proceed
without the mount since it is 'optional'. But without these
bind mounts, starting a container inside a user namespace
hangs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The new openssh uses a different mechanism to start/stop the daemon
which in turn requires a few tweaks in our template to deal with both
the new and old ways of doing that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Don't allow write to /dev/rtc0, and remove sys_time.
Thanks, Christoph.
v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.
Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Update the code to also match C.* so that C.UTF-8 doesn't make the
container creation fail.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Introduce a new HTTP_PROXY variable in /etc/default/lxc. If unset or
set to none, then behavior continues as before. If set to 'apt', then
any http::proxy set in apt.conf will be used as http_proxy for
debootstrap, and specified in the container's
/etc/apt/apt.conf.d/70proxy. If set to something else, then the
value of HTTP_PROXY will be used as http_proxy for debootstrap and
specified in the container's 70proxy.
Changelog: (apr 23) merge the two apt proxy detection functions.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Drop disabled entries from allowed devices list
- Improve generated config layout a bit
- Drop redundant uname call
- Re-generate the SSH host keys on container creation
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
According to "arch"'s manpage, it's identical to "uname -m".
Some distros ship uname but don't ship arch, however all distros ship uname,
therefore it makes sense to use "uname -m" whenever possible.
Signed-off-by: Christian Bühler <christian@cbuehler.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The ubuntu template will silently fail (because it is set -e) on
the locale-gen command when LANG=C
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This updates the various checks to match the grid below:
== lxc-ubuntu support per architecture ==
amd64: amd64, i386, armel, armhf, powerpc
i386: i386, armel, armhf, powerpc
armel: armel, armhf
armhf: armhf, armel
powerpc: powerpc
== lxc-ubuntu-cloud support per architecture ==
amd64: amd64, i386
i386: i386
armel: armel, armhf
armhf: armhf, armel
Note that most of the foreign architectures on x86 are supported
through the use of qemu-user-static. This one however isn't yet
support for cloud images (I'll send a patch for 1.0).
Also, qemu-user-static is technically able to emulate amd64 on i386
but qemu-debootstrap doesn't appear to know that and fails quite miserably.
We may also want to add a test for amd64 kernel but i386 userspace, which
is a valid combination that allows running an amd64 container on an i386
host without requiring emulation, but that's for another patch.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit tweaks the layout of the config file for the Ubuntu templates.
With this, we now get a clear network config group, then a path related group,
then a bunch of random config options and the end of the config is apparmor,
capabilities and cgroups.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is for consistency with the rest of lxc, and also because type checks for
shell builtins, a behavior that we do not want in these cases. Ensure stderr
for which is redirected to /dev/null also.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
