This adds OpenWrt common config file.
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Support creation and use of lxc-cirros by unprivileged users.
If we detect we are an unprivileged user, then insist that we
be in a userns with a id mapping.
If we are in a userns, then don't extract /dev when extracting
the rootfs.
If we are not root, then save the tarball to ~/.cache/lxc/cirros
instead of /var/cache/lxc/cirros.
If we are not roo, then include entries to auto-mount proc and sys,
as well as bind-mount devices.
Cc: Scott Moser <smoser@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a multipart message in MIME format.
Fixes a small (but consistent) spelling mistake in conf.c
Signed-off-by: Joel Nider <joeln@il.ibm.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Otherwise both resulting takss will print what they had flushed when they
exit.
This fixes https://bugs.launchpad.net/bugs/1389244
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Tested-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Add simple test case for attach() method. Add assert for return value
from create() method which also returns a boolean.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Do mkdir $rootfs/dev/shm and then mount tmpfs on /dev/shm.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Containers with systemd need a somewhat special setup, which I borrowed
and adapted from lxc-fedora. These changes are required so that Debian 8
(jessie) containers work properly, and are a no-op for previous Debian
versions.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We allocate a pointer and save this address in a static variable. After
this we freed this pointer and return.
Here a cuttout of a valgrind report:
[...]
==11568== Invalid read of size 1
==11568== at 0x4C2D524: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11568== by 0x5961C9B: puts (in /usr/lib/libc-2.20.so)
==11568== by 0x400890: main (lxc_config.c:73)
==11568== Address 0x6933e21 is 1 bytes inside a block of size 32 free'd
==11568== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11568== by 0x4E654F2: lxc_global_config_value (utils.c:415)
==11568== by 0x4E92177: lxc_get_global_config_item (lxccontainer.c:2287)
==11568== by 0x400883: main (lxc_config.c:71)
[...]
Signed-off-by: Silvio Fricke <silvio.fricke@gmail.com>
Fix a typo in the lines inserted in the default sources.list.
Change the default mirror to http.debian.net which is (supposedly) more
accurate and better than cdn.debian.net for a generic configuration.
Use security.debian.org directly for the {release}/updates repository.
Signed-off-by: Gu1 <gu1@aeroxteam.fr>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit fixes two issues at the time of clone:
* unnecessary directory is created when clone between overlayfs/aufs
* clone failed when the end of rootfs path is not "/rootfs"
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
"all" is not a supported keyword for cgmanager's get_pid_cgroup.
Pass the first mounted cgroup subsystem instead of passing "all" when
getting the container's cgorup to attach to.
Also, make sure that the target cgroup is in fact in all identical
cgroups before attaching with 'all". If not, then we must attach to
each cgroup separately, or else we will not be in all the same cgroups
as the target container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This patch creates workdir as "olwork", and retry mount with workdir
option when mount is failed.
It is used to prepare files before atomically swithing with
destination, and needs to be on the same filesystem as upperdir. It's
OK for it to be empty.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If attach is being done over passed-in fds, then we shouldn't
mess with the caller's signal table to ignore ctrl-c over the
fd.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Currently when we clone a container, bdev_copy passes NULL as dst argument
of bdev_init, then sees bdev->dest (as a result) is NULL, and sets
bdev->dest to $lxcpath/$name/rootfs. so $ops->clone_paths() can
assume that "/rootfs" is at the end of the path. The overlayfs and
aufs clonepaths do assume that and index to endofstring-6 and append
delta0. Let's be more robust by actually finding the last / in
the path.
Then, instead of always setting oldbdev->dest to $lxcpath/$name/rootfs,
set it to oldbdev->src. Else dir_clonepaths fails when mounting src
onto dest bc dest does not exist. We could also fix that by creating
bdev->dest if needed, but that addes an empty directory to the old
container.
This fixes 'lxc-clone -o x1 -n x2' if x1 has lxc.rootfs = /var/lib/lxc/x1/x
and makes the overlayfs and aufs paths less fragile should something else
change.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
It is not system-definable, rather glibc sets that to bin:/usr/bin, which is
simply too restrictive. So just always set our preferred path.
This was reported at:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1384327
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Rather than try to free all the not-being-returned items at
each if clause where we assign one to return value, just NULL
the one we are returning so we can safely free all the
values. This should fix the newly reported coverity memory
leak
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If we are root using a user namespace and are mounting a blockdev as rootfs,
then we do this before unsharing the userns, because we are not allowed to
do it in a userns. But after unsharing the userns, we unconditionally
retried mounting the rootfs, resulting in failure. stop that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
On restore, we pass criu a script to manage the network interfaces (i.e. the
full path to lxc-restore-net), which we previously installed into
/var/lib/<tuple>/lxc. However, this is also the directory that is the default
for use in mounting the rootfs locally before pivot_root()ing. So, we mounted
the rootfs and then happliy called criu, pointing it to this directory which
didn't have lxc-restore-net any more, it just had the container's rootfs.
Instead, we should put lxc-restore-net somewhere else, so that criu can still
see it after the rootfs is mounted.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Behave well when /etc/lxc/${name} is a symlink to directory
Signed-off-by: Dark Templar <dark_templar@hotbox.ru>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Fix return value on bind mount failure.
If we've already mounted the rootfs, exit after the bind mount
rather than re-trying the rootfs mount. The only case where
this happens is when root is starting a container in a user
namespace and with a block device backing store.
In that case, pre-mount hooks will be executed in the initial
user namespace. That may be worth fixing. Or it may be what
we want. We should think about it and fix it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
I've found one more typo in the gentoo template, configuration in the
generated file /etc/conf.d/hostname was not valid, but it didn't impact
me due to "lxc.utsname" being set in the configuration file of container
and hostname service being not used. Anyway, I've made a patch and
sending it with this mail.
Signed-off-by: Dark Templar <dark_templar@hotbox.ru>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
for the ttys and other devices. Add this entry in the container config.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Apply the changes found in templates/lxc-download to the busybox template as
well. Change ownership of the config and fstab files to the unprivileged user,
and the ownership of the rootfs to root in the new user namespace.
Eliminate the "unsupported for userns" flag.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>>> On Tue, 30 Sep 2014 19:48:09 +0000
in message "Re: [lxc-devel] [PATCH] lxc-config can show lxc.cgroup.(use|pattern)"
Serge Hallyn-san wrote:
> I think it would be worth also augmenting
> lxc_global_config_value() to return a default lxc.cgroup.use
> for 'all', and a default lxc.cgroup.pattern ("/lxc/%n" for root
> or "%n" for non-root).
lxc.cgroup.pattern is like this? (^_^;)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Check for it when we check for apparmor being enabled, rather
than doing it during the middle of a container setup.
This avoid the need to try mounting /sys and /sys/kernel/security
in the middle of startup, which we may not be allowed to anyway.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
We previously wrote a bunch of files (eth*, veth*, and bridge*) as hard coded
files which we used as the names of interfaces to restore via criu's
--veth-pair. This meant that if people, e.g. gave a different bridge on their
new host, we would use our saved bridge in bridge* and try to restore to the
wrong bridge. Instead, we can just generate a new veth id (if the user hasn't
provided one), and use whatever the user configured values for the interface
name and bridge are.
This allows people to switch the bridge that they restore onto simply by
migrating the rootfs and config, and then changing the bridge name in the
container's configuration before running lxc-checkpoint.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Break the monolithic ->checkpoint and ->restore functions into smaller ones.
This is in preparation for the checkpoint/restore tty work, which has a similar
need to dump information outside of criu.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The python lxc-device supported adding wlan devices, so add that
support as well. Since the python one did not support 'del',
I didn't try adding that support, though it should be trivial to
add.
We should be able to do the wlan adding using netlink, but I
went ahead and used 'iw' as the netlink path looked more
complicated than it does for other nics. Patches to switch that
over would be very welcome.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
