Travis has now corrected the bug in their build environment so we no
longer need to force the autogen script through bash.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This allows running lxc-start-ephemeral using overlayfs. aufs remains
blocked as it hasn't been looked at and patched to work in the kernel at
this point (not sure if it ever wil).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The previous check for access to rootfs->path failed in the case of
overlayfs or loop backign stores. Instead just check early on for
access to lxcpath.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If on Ubuntu, then match the host's own architecture, this should allow
for our tests to pass on the armhf CI environment.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Also make sure to chown the new rootfs path to the container owner.
This is how we make sure that the container root is allowed to write
under delta0.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This allows older distros to override /run with whatever their own path
is, mostly useful for old RedHat and possibly Android.
Reported-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead force a copy clone. Else if the user makes a change
to the original container, the snapshot will be affected.
The user should first create a snapshot clone, then use
and snapshot that clone while leaving the original container
untouched.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
With this patch, if an unprivileged user has $HOME 700 or
750 and does
lxc-start -n c1
he'll see an error like:
lxc_container: Permission denied - could not access /home/serge. Please grant it 'x' access, or add an ACL for t he container root.
(This addresses bug pad.lv/1277466)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Change redirection of fd 200 to 9 (greater than 9 may conflict with
fd the shell uses internally)
- Replace numeric line addressing of ed to regular expression to avoid
correcting the line addressing at each modification of init scripts
- Correct the option order (trivial)
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The goal is to avoid an absolute symlink in the guest redirecting
us to the host's /dev. Thanks to the libvirt team for considering
that possibility!
We want to work on kernels which do not support setns, so we simply
chroot into the container before doing any rm/mknod. If /dev/vda5
is a symlink to /XXX, or /dev is a symlink to /etc, this is now
correctly resolved locally in the chroot.
We would have preferred to use realpath() to check that the resolved
path is not changed, but realpath across /proc/pid/root does not
work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a crash in lxc-autostart following the addition of
lxc_log_init as lxc-autostart doesn't use the name property.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous change to support http proxies only worked when http_proxy
was set... Instead add some detection code and only use :80 when using
http_proxy.
That's a bit of a workaround, but it's the only way I could find to get
GPG to work with http_proxy.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This op will be used on older kernels where container shutdown via reboot(2)
is not implemented and we use the utmp watching code.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- refactor cgroup into two backends, the classic cgfs driver and the new
cgmanager. Instead of lxc_handler knowing about the internals of each,
have it just store an opaque pointer to a struct that is private to
each backend.
- rename a couple of cgroup functions for consistency: those that are
considered an API (ie. exported by lxc.h) begin with lxc_ and those that
are not are just cgroup_*
- made as many backend routines static as possible, only cg*_ops_init is
exported
- made a nrtasks op which is needed by the utmp code for monitoring
container shutdown, currently only implemented for the cgfs backend
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is just a move without any changes so history will be preserved.
Makefile.am was modified so that lxc will still build and run.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Change the license from GPL to LGPL to avoid a tricky license situation
for liblxc.so.
Signed-off-by: Jonas Eriksson <jonas.eriksson@enea.com>
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc.id_map bug when writing directly to /proc/pid/[ug]id_map
There's some code in src/lxc/conf.c that sets up the UID/GID mapping. It
can use the external newuidmap/newgidmap tools, or it can write to
/proc/pid/[ug]id_map directly. The latter case is broken: lines are written
without a newline (\n) at the end. This patch fixes that. Note that
I did not check if the newuidmap/newgidmap case still works. It should,
but I wasn't able to test it.
Signed-off-by: Miquel van Smoorenburg <mikevs@xs4all.net>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This sets lxc_log_define to what should be appropriate values for all
existing binaries that call lxc_log_init.
The name is lxc_<bin name>_ui for anything that's user visible and
lxc_<bin name> for anything that's not.
The parent is set to "lxc" for anything using the API and to the
matching C file name for anything that isn't.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- configure fails to compile the cgmanager test without -lnih -lnih-dbus
- fix include path from cgmanger commit f1d9bd1a
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
In current LXC, loglevel and logfile are write-once functions.
That behaviour was appropriate when those two were first introduced
(pre-API) but with current API, one would expect to be able to
set_config_item those multiple times.
So instead, introduce lxc_log_options_no_override which when called
turns those two config keys read-only and have all existing binaries
which use log_init call that function once they're done setting the
value requested by the user.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
That way templates can fix group ownership alongside uid ownership.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This change introduces a flag --repo to the lxc-centos template
to allow using a local repository (e.g. a loop mounted installer
iso on your web server).
Signed-off-by: Harald Dunkel <harri@afaics.de>
Acked-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If a user in cgroup /a/b/c does 'lxc-start -n u1', then u1
should be started under /a/b/c/u1. However if he does
'sudo lxc-start -n u1', then that cgroup shoudl start under
/lxc/u1.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
With this change, shutdown() will no longer call stop() after the
timeout, instead it'll just return false and it's up to the caller to
then call stop() if appropriate.
This also updates the bindings, tests and other scripts.
lxc-stop is then updated to do proper option checking and use shutdown,
stop or reboot as appropriate.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In order for attach to work, the container owner must be able to
write to the tasks file. Therefore we make the container's cgroup
owned by the container root group, but the container owner uid.
So for the container root to be allowed to create new cgroups, it
needs group write perms.
With this patch, an unprivileged container with an
lxc.mount.auto = cgroup entry entry can run the cgproxy and pass
all cgmanager tests.
Acls would have been another way to do this, but are not yet being
used/exported by cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
