We can let attach detect that it is running on a cgroup layout without
writable cgroup hierarchies. In that case attach can finish early and
doesn't need to run the heavy-handed cgroup parsing code.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
In order to facilitate this, the default mount list's
'destination' may now be NULL to mean that the source should
be unmounted instead.
Here's what we need to do:
1) Ensure the first sysfs mount point is writable.
2) Mount a read-only sysfs on /sys
3) Bind devices/virtual/net *writably* into /sys
We use /proc/sys as a staging directory for the first sysfs
mount in read-write mode, then mount /sys r/o. Afterwards we
bind the r/w devices/virtual/net and unmount the staging
/proc/sys mount point.
The staging directory would not be required with the new
mount API, but this way we can support the old API and keep
the general workflow in the `default_mounts`.
Once we drop support for the old mount API, the
default_mounts table could just get a subdirectory field to
mount subdirectories directly.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This reverts commit 2fde07c399.
We need to investigate this in more detail but this commit is breaking
LXD, causing startup to fail with:
lxc foo 20211130202833.906 INFO conf - conf.c:run_script_argv:336 - Executing script "/bin/mount -t shiftfs -o passthrough=3 "/lxc-ci/build/tmp.WemmpzWGYz/go/src/github.com/lxc/lxd/test/tmp.Cli/0To/containers/foo/rootfs" "/lxc-ci/build/tmp.WemmpzWGYz/go/src/github.com/lxc/lxd/test/tmp.Cli/0To/containers/foo/rootfs"" for container "foo"
lxc foo 20211130202833.912 ERROR conf - conf.c:run_buffer:321 - Script exited with status 32
lxc foo 20211130202833.912 ERROR conf - conf.c:lxc_setup_rootfs_prepare_root:3947 - Failed to run pre-mount hooks
lxc foo 20211130202833.912 ERROR conf - conf.c:lxc_setup:4317 - Failed to setup rootfs
lxc foo 20211130202833.912 ERROR start - start.c:do_start:1275 - Failed to setup container "foo"
Not entirely sure why we're seeing things blow up as the directory
definitely exists (and contains a valid rootfs) but this was caused by
today's liblxc update.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
If we're saving the config file to somewhere that's *not* the container
dir, we don't need to create the container dir. Let's not do this and
thus not require its parent to exist, which can be confusing, especially in
light of the sparse logging through these functions.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
I get:
In file included from cgroups/cgfsng.c:42:
In function 'cpuset1_cpus_initialize',
inlined from 'cpuset1_initialize' at cgroups/cgfsng.c:658:7,
inlined from '__cgroup_tree_create.constprop' at cgroups/cgfsng.c:723:26:
./log.h:376:9: error: '%s' directive argument is null [-Werror=format-overflow=]
376 | LXC_ERROR(&locinfo, format, ##__VA_ARGS__); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./log.h:457:17: note: in expansion of macro 'ERROR'
457 | ERROR("%s - " format, ptr, ##__VA_ARGS__); \
| ^~~~~
./log.h:491:17: note: in expansion of macro 'SYSERROR'
491 | SYSERROR(format, ##__VA_ARGS__); \
| ^~~~~~~~
cgroups/cgfsng.c:585:24: note: in expansion of macro 'log_error_errno'
585 | return log_error_errno(false, errno, "Failed to read file \"%s\"", fpath);
| ^~~~~~~~~~~~~~~
it turns out here that fpath is not used, so let's get rid of it and just
render the dfd+pathname directly.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
This reverts commit d65e5e492f.
With vfork the child process modifies the parent's memory,
so the calls to `signal`, `fprintf` and regular `exit` may
be dangerous and might cause conflicting states in the
parent.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
When installing LXC with the default options, a single non-symlink liblxc.so*
(e.g. liblxc.so.1.7.0) file is created:
```
$ ./autogen.sh && ./configure && make && \
rm -rf "$HOME/lxci" && make DESTDIR="$HOME/lxci" install && \
stat -c%N "$HOME/lxci/usr/local/lib/liblxc.so"*
[...]
'/home/someone/lxci/usr/local/lib/liblxc.so' -> 'liblxc.so.1'
'/home/someone/lxci/usr/local/lib/liblxc.so.1' -> 'liblxc.so.1.7.0'
'/home/someone/lxci/usr/local/lib/liblxc.so.1.7.0'
```
However, when automake>=1.16.5, and the `--enable-pam` option is used, two
non-symlink liblxc.so* (e.g. liblxc.so.1.0.0 and liblxc.so.1.7.0) are
erroneously created:
```
$ ./autogen.sh && ./configure --enable-pam && make && \
rm -rf "$HOME/lxci" && make DESTDIR="$HOME/lxci" install && \
stat -c%N "$HOME/lxci/usr/local/lib/liblxc.so"*
[...]
'/home/someone/lxci/usr/local/lib/liblxc.so' -> 'liblxc.so.1.0.0'
'/home/someone/lxci/usr/local/lib/liblxc.so.1' -> 'liblxc.so.1.0.0'
'/home/someone/lxci/usr/local/lib/liblxc.so.1.0.0'
'/home/someone/lxci/usr/local/lib/liblxc.so.1.7.0'
```
This is due to infighting between libtool's and LXC's versioning:
libtool creates liblxc.so.1.0.0, then LXC's `install-exec-local` hook in
`Makefile.am` moves it to liblxc.so.1.7.0. However, with `--enable-pam`, the
`install-libLTLIBRARIES` target is re-triggered after `install-pamLTLIBRARIES`,
which will create liblxc.so.1.0.0 again.
The bigger problem here is that the install for the pam_cgfs library is done on
the `data` phase of the automake install process instead of the `exec` phase
(https://www.gnu.org/software/automake/manual/html_node/The-Two-Parts-of-Install.html),
which gives `install-libLTLIBRARIES` a chance to run again after the
`install-exec-local` / `install-exec-hook` targets have already run.
To fix this, we add an "exec_" prefix to the pam_cgfs library to make it run
during the `exec` phase (see link above). We also consolidate the various hooks
in the `install-exec-hook` target, which runs after the whole install, avoiding
needing to manually specify the dependencies like in `install-exec-local`.
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
When porting to the new list type we added an accidental ! when checking
whether the list is empty.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Not only uses this the recommended construct, it also makes the code
more uniform as in many other places the $() construct was already used.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
