2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <netinet/in.h>
31 #include <sys/param.h>
32 #include <sys/types.h>
36 #include "start.h" /* for lxc_handler */
38 #if HAVE_SCMP_FILTER_CTX
39 typedef void * scmp_filter_ctx
;
42 /* worth moving to configure.ac? */
43 #define subuidfile "/etc/subuid"
44 #define subgidfile "/etc/subgid"
57 * Defines the structure to configure an ipv4 address
58 * @address : ipv4 address
59 * @broadcast : ipv4 broadcast address
60 * @mask : network mask
73 * Defines the structure to configure an ipv6 address
74 * @flags : set the address up
75 * @address : ipv6 address
76 * @broadcast : ipv6 broadcast address
77 * @mask : network mask
81 struct in6_addr mcast
;
82 struct in6_addr acast
;
91 char *pair
; /* pair name */
92 char veth1
[IFNAMSIZ
]; /* needed for deconf */
102 struct ifla_macvlan
{
103 int mode
; /* private, vepa, bridge, passthru */
107 struct ifla_veth veth_attr
;
108 struct ifla_vlan vlan_attr
;
109 struct ifla_macvlan macvlan_attr
;
113 * Defines a structure to configure a network device
114 * @link : lxc.network.link, name of bridge or host iface to attach if any
115 * @name : lxc.network.name, name of iface on the container side
116 * @flags : flag of the network device (IFF_UP, ... )
117 * @ipv4 : a list of ipv4 addresses to be set on the network device
118 * @ipv6 : a list of ipv6 addresses to be set on the network device
119 * @upscript : a script filename to be executed during interface configuration
120 * @downscript : a script filename to be executed during interface destruction
131 struct lxc_list ipv4
;
132 struct lxc_list ipv6
;
133 struct in_addr
*ipv4_gateway
;
134 bool ipv4_gateway_auto
;
135 struct in6_addr
*ipv6_gateway
;
136 bool ipv6_gateway_auto
;
142 * Defines a generic struct to configure the control group.
143 * It is up to the programmer to specify the right subsystem.
144 * @subsystem : the targeted subsystem
145 * @value : the value to set
158 * id_map is an id map entry. Form in confile is:
159 * lxc.id_map = u 0 9800 100
160 * lxc.id_map = u 1000 9900 100
161 * lxc.id_map = g 0 9800 100
162 * lxc.id_map = g 1000 9900 100
163 * meaning the container can use uids and gids 0-99 and 1000-1099,
164 * with [ug]id 0 mapping to [ug]id 9800 on the host, and [ug]id 1000 to
165 * [ug]id 9900 on the host.
169 unsigned long hostid
, nsid
, range
;
173 * Defines a structure containing a pty information for
175 * @name : the path name of the slave pty side
176 * @master : the file descriptor of the master
177 * @slave : the file descriptor of the slave
179 struct lxc_pty_info
{
180 char name
[MAXPATHLEN
];
187 * Defines the number of tty configured and contains the
189 * @nbtty = number of configured ttys
191 struct lxc_tty_info
{
193 struct lxc_pty_info
*pty_info
;
196 struct lxc_tty_state
;
199 * Defines the structure to store the console information
200 * @peer : the file descriptor put/get console traffic
201 * @name : the file name of the slave pty
207 struct lxc_pty_info peerpty
;
208 struct lxc_epoll_descr
*descr
;
212 char name
[MAXPATHLEN
];
213 struct termios
*tios
;
214 struct lxc_tty_state
*tty_state
;
218 * Defines a structure to store the rootfs location, the
219 * optionals pivot_root, rootfs mount paths
220 * @rootfs : a path to the rootfs
221 * @pivot_root : a path to a pivot_root location to be used
231 * Automatic mounts for LXC to perform inside the container
234 LXC_AUTO_PROC_RW
= 0x001, /* /proc read-write */
235 LXC_AUTO_PROC_MIXED
= 0x002, /* /proc/sys and /proc/sysrq-trigger read-only */
236 LXC_AUTO_PROC_MASK
= 0x003,
238 LXC_AUTO_SYS_RW
= 0x004, /* /sys */
239 LXC_AUTO_SYS_RO
= 0x008, /* /sys read-only */
240 LXC_AUTO_SYS_MIXED
= 0x00C, /* /sys read-only and /sys/class/net read-write */
241 LXC_AUTO_SYS_MASK
= 0x00C,
243 LXC_AUTO_CGROUP_RO
= 0x010, /* /sys/fs/cgroup (partial mount, read-only) */
244 LXC_AUTO_CGROUP_RW
= 0x020, /* /sys/fs/cgroup (partial mount, read-write) */
245 LXC_AUTO_CGROUP_MIXED
= 0x030, /* /sys/fs/cgroup (partial mount, paths r/o, cgroup r/w) */
246 LXC_AUTO_CGROUP_FULL_RO
= 0x040, /* /sys/fs/cgroup (full mount, read-only) */
247 LXC_AUTO_CGROUP_FULL_RW
= 0x050, /* /sys/fs/cgroup (full mount, read-write) */
248 LXC_AUTO_CGROUP_FULL_MIXED
= 0x060, /* /sys/fs/cgroup (full mount, parent r/o, own r/w) */
249 /* These are defined in such a way as to retain
250 * binary compatibility with earlier versions of
251 * this code. If the previous mask is applied,
252 * both of these will default back to the _MIXED
253 * variants, which is safe. */
254 LXC_AUTO_CGROUP_NOSPEC
= 0x0B0, /* /sys/fs/cgroup (partial mount, r/w or mixed, depending on caps) */
255 LXC_AUTO_CGROUP_FULL_NOSPEC
= 0x0E0, /* /sys/fs/cgroup (full mount, r/w or mixed, depending on caps) */
256 LXC_AUTO_CGROUP_MASK
= 0x0F0,
258 LXC_AUTO_ALL_MASK
= 0x0FF, /* all known settings */
262 * Defines the global container configuration
263 * @rootfs : root directory to run the container
264 * @pivotdir : pivotdir path, if not set default will be used
265 * @mount : list of mount points
266 * @tty : numbers of tty
267 * @pts : new pts instance
268 * @mount_list : list of mount point (alternative to fstab file)
269 * @network : network configuration
270 * @utsname : container utsname
271 * @fstab : path to a fstab file format
272 * @caps : list of the capabilities to drop
273 * @keepcaps : list of the capabilities to keep
274 * @tty_info : tty data
275 * @console : console data
276 * @ttydir : directory (under /dev) in which to create console and ttys
277 * @lsm_aa_profile : apparmor profile to switch to or NULL
278 * @lsm_se_context : selinux type to switch to or NULL
281 LXCHOOK_PRESTART
, LXCHOOK_PREMOUNT
, LXCHOOK_MOUNT
, LXCHOOK_AUTODEV
,
282 LXCHOOK_START
, LXCHOOK_POSTSTOP
, LXCHOOK_CLONE
, LXCHOOK_DESTROY
,
284 extern char *lxchook_names
[NUM_LXC_HOOKS
];
298 signed long personality
;
299 struct utsname
*utsname
;
300 struct lxc_list cgroup
;
301 struct lxc_list id_map
;
302 struct lxc_list network
;
303 struct saved_nic
*saved_nics
;
306 struct lxc_list mount_list
;
307 struct lxc_list caps
;
308 struct lxc_list keepcaps
;
309 struct lxc_tty_info tty_info
;
310 char *pty_names
; // comma-separated list of lxc.tty pty names
311 struct lxc_console console
;
312 struct lxc_rootfs rootfs
;
315 struct lxc_list hooks
[NUM_LXC_HOOKS
];
317 char *lsm_aa_profile
;
318 int lsm_aa_allow_incomplete
;
319 char *lsm_se_context
;
321 char *seccomp
; // filename with the seccomp rules
322 #if HAVE_SCMP_FILTER_CTX
323 scmp_filter_ctx seccomp_ctx
;
326 int autodev
; // if 1, mount and fill a /dev at start
327 int haltsignal
; // signal used to halt container
328 int rebootsignal
; // signal used to reboot container
329 int stopsignal
; // signal used to hard stop container
330 int kmsg
; // if 1, create /dev/kmsg symlink
331 char *rcfile
; // Copy of the top level rcfile we read
333 // Logfile and logleve can be set in a container config file.
334 // Those function as defaults. The defaults can be overriden
335 // by command line. However we don't want the command line
336 // specified values to be saved on c->save_config(). So we
337 // store the config file specified values here.
338 char *logfile
; // the logfile as specifed in config
339 int loglevel
; // loglevel as specifed in config (if any)
342 int inherit_ns_fd
[LXC_NS_MAX
];
347 struct lxc_list groups
;
350 /* set to true when rootfs has been setup */
353 /* list of included files */
354 struct lxc_list includes
;
355 /* config entries which are not "lxc.*" are aliens */
356 struct lxc_list aliens
;
358 /* list of environment variables we'll add to the container when
360 struct lxc_list environment
;
362 /* text representation of the config file */
363 char *unexpanded_config
;
364 size_t unexpanded_len
, unexpanded_alloced
;
369 /* if running in a new user namespace, the UID/GID that COMMAND for
370 * lxc-execute should run under */
376 extern __thread
struct lxc_conf
*current_config
;
378 extern struct lxc_conf
*current_config
;
381 int run_lxc_hooks(const char *name
, char *hook
, struct lxc_conf
*conf
,
382 const char *lxcpath
, char *argv
[]);
384 extern int detect_shared_rootfs(void);
387 * Initialize the lxc configuration structure
389 extern struct lxc_conf
*lxc_conf_init(void);
390 extern void lxc_conf_free(struct lxc_conf
*conf
);
392 extern int pin_rootfs(const char *rootfs
);
394 extern int lxc_requests_empty_network(struct lxc_handler
*handler
);
395 extern int lxc_create_network(struct lxc_handler
*handler
);
396 extern void lxc_delete_network(struct lxc_handler
*handler
);
397 extern int lxc_assign_network(struct lxc_list
*networks
, pid_t pid
);
398 extern int lxc_map_ids(struct lxc_list
*idmap
, pid_t pid
);
399 extern int lxc_find_gateway_addresses(struct lxc_handler
*handler
);
401 extern int lxc_create_tty(const char *name
, struct lxc_conf
*conf
);
402 extern void lxc_delete_tty(struct lxc_tty_info
*tty_info
);
404 extern int lxc_clear_config_network(struct lxc_conf
*c
);
405 extern int lxc_clear_nic(struct lxc_conf
*c
, const char *key
);
406 extern int lxc_clear_config_caps(struct lxc_conf
*c
);
407 extern int lxc_clear_config_keepcaps(struct lxc_conf
*c
);
408 extern int lxc_clear_cgroups(struct lxc_conf
*c
, const char *key
);
409 extern int lxc_clear_mount_entries(struct lxc_conf
*c
);
410 extern int lxc_clear_automounts(struct lxc_conf
*c
);
411 extern int lxc_clear_hooks(struct lxc_conf
*c
, const char *key
);
412 extern int lxc_clear_idmaps(struct lxc_conf
*c
);
413 extern int lxc_clear_groups(struct lxc_conf
*c
);
414 extern int lxc_clear_environment(struct lxc_conf
*c
);
415 extern int lxc_delete_autodev(struct lxc_handler
*handler
);
417 extern int do_rootfs_setup(struct lxc_conf
*conf
, const char *name
,
418 const char *lxcpath
);
421 * Configure the container from inside
424 struct cgroup_process_info
;
425 extern int lxc_setup(struct lxc_handler
*handler
);
427 extern void lxc_rename_phys_nics_on_shutdown(int netnsfd
, struct lxc_conf
*conf
);
429 extern int find_unmapped_nsuid(struct lxc_conf
*conf
, enum idtype idtype
);
430 extern int mapped_hostid(unsigned id
, struct lxc_conf
*conf
, enum idtype idtype
);
431 extern int chown_mapped_root(char *path
, struct lxc_conf
*conf
);
432 extern int ttys_shift_ids(struct lxc_conf
*c
);
433 extern int userns_exec_1(struct lxc_conf
*conf
, int (*fn
)(void *), void *data
);
434 extern int parse_mntopts(const char *mntopts
, unsigned long *mntflags
,
436 extern void tmp_proc_unmount(struct lxc_conf
*lxc_conf
);
437 void remount_all_slave(void);
438 extern void suggest_default_idmap(void);
439 FILE *write_mount_file(struct lxc_list
*mount
);
440 struct lxc_list
*sort_cgroup_settings(struct lxc_list
* cgroup_settings
);