Bind-mounts aren't harmful in containers, so long as they're not used to
bypass MAC policies.
This change allows bind-mounting of any path which isn't a dangerous
filesystem that's otherwise blocked by apparmor.
This also allows switching paths {r}shared or {r}private.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
If you specify an interpreter path with "-I" or "--interpreter-path",
the architecture of the debian container can differ from the one of
the host.
Before creating the container, binfmt must be configured on the host:
the script checks the name of the interpreter in /proc/sys/fs/binfmt_misc/
to know where to install it in the container.
To create a MIPS container on an x86_64 host:
$ cat /proc/sys/fs/binfmt_misc/qemu-mips
enabled
interpreter //qemu-mips
flags: OC
offset 0
magic 7f454c4601020100000000000000000000020008
mask ffffffffffffff00fffffffffffffffffffeffff
$ sudo lxc-create -n virtmips-stretch -t debian -- \
--arch=mips \
--interpreter-path=./mips-linux-user/qemu-mips \
--mirror=http://ftp.debian.org/debian \
--release=stretch
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
There is container-getty.service with OL7.2 systemd, it
is also used for managing the getty service, use that
instead and not manually create it.
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
When LXC is configured with --enable-rpath, I expect Python bindings
to be able to find the library in a non-standard location, just like
LXC command-line tools.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
In many environments the preference is to configure containers with
apt mirrors that are SSL-secured.
When building containers using the download template this can't be
done unless an insecure mirror is first used to install the
apt-transport-https package, then the sources reconfigured to
use the https URL.
When building containers without using the download template this
can't be done unless the container creator specifically includes
this package in the package list at build time. It seems more
intuitive to me to have the package installed by default.
Commit 396f75abb3 added the package
to the minbase variant, but this variant is not used by the download
template build process. The build process instead specifies no
variant, so this patch moves the package from the packages_template
package list in the minbase variant to the global packages_template
package list, ensuring that this package is included in all Ubuntu
build images that use the lxc-ubuntu template.
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
lxc-start started to default to daemonize the container when starting
this conflicts with type=simple of the systemd unit
call lxc-start with -F and thus force execution in foreground
that way we can feed the log to journald properly and keep type=simple
Debian-Bug: https://bugs.debian.org/826100
Signed-off-by: Evgeni Golov <evgeni@golov.de>
This implies '--single-version-externally-managed', which we
actually want for autotools builds.
Fixes current problems with jenkins test suite.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
setuptools is recommended by Python Packaging Guide
https://python-packaging-user-guide.readthedocs.io/en/latest/current/
It contains some useful extensions like 'develop' command. Also it
is required for building wheels AFAIK.
The only downside is an extra build-time dependency. setuptools are
packaged in both Debian and Ubuntu (python3-setuptools), as well as
other major distros, so it shouldn't be an issue, I think.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
Distribution name starting with underscore is considered invalid by
many tools. For example, you can't list such name in
install_requires in your setup.py.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
It looks like VPATH (split source and build directories) builds
are frequently broken. So let's test them on travis-ci.
Personally I use VPATH build in my deployment scripts.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
struct in6_addr is both defined in the C library header <netinet/in.h>
and the Linux kernel header <linux/in6.h>.
lxc_user_nic.c includes both <netinet/in.h> and <linux/if_bridge.h>. The
later one includes <linux/in6.h>.
This breaks build with the musl libc:
error: redefinition of ‘struct in6_addr’
As lxc_user_nic.c does not use any references from <linux/if_bridge.h> it
is safe to remove this header.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
In many environments the preference is to configure containers with
apt mirrors that are SSL-secured.
When building containers using the download template this can't be
done unless an insecure mirror is first used to install the
apt-transport-https package, then the sources reconfigured to
use the https URL.
When building containers without using the download template this
can't be done unless the container creator specifically includes
this package in the package list at build time.
It seems more intuitive to me to have the package installed by
default. This patch includes the required package for the minbase
variant only as this is the default.
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
The idea here is that criu can use open_by_handle on a configuration which
will preserve inodes on moves across hosts, but shouldn't do that on
configurations which won't preserve inodes. Before, we forced it to always
be slow, but we don't have to do this.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
If we don't do this, we'll end up changing the function signatures for the
internal __criu_* functions each time we add a new parameter, which will
get very annoying very quickly. Since we already have the user's arguments
struct, let's just pass that all the way down.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
When writing out the CRIU exec command, we're bumping up against the buffer
size limit. Let's increase it so we can avoid:
lxc 20160509213229.921 WARN lxc_log - log.c:log_append_logfile:111 - truncated next event from 523 to 512 bytes
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
If the value starts and ends with matching quote characters, those
characters are stripped automatically. Quote characters are the
single quote (') or double quote ("). The quote removal is done after
the whitespace trimming.
This is needed particularly in order that lxc.environment values may
have trailing spaces. However, the quote removal is done for all values
in the parse_line function, as it has non-const access to the value.
Signed-off-by: Stewart Brodie <stewart@metahusky.net>
