1 /* SPDX-License-Identifier: LGPL-2.1+ */
20 #include <sys/mount.h>
22 #include <sys/syscall.h>
23 #include <sys/sysmacros.h>
24 #include <sys/types.h>
28 #include "../include/netns_ifaddrs.h"
30 #include "api_extensions.h"
35 #include "commands_utils.h"
39 #include "confile_utils.h"
42 #include "initutils.h"
45 #include "lxccontainer.h"
47 #include "memory_utils.h"
49 #include "namespace.h"
52 #include "process_utils.h"
56 #include "storage/btrfs.h"
57 #include "storage/overlay.h"
58 #include "storage_utils.h"
60 #include "syscall_wrappers.h"
66 #include <openssl/evp.h>
71 #include <sys/mkdev.h>
75 #include <../include/lxcmntent.h>
81 #include "include/strlcpy.h"
84 lxc_log_define(lxccontainer
, lxc
);
86 static bool do_lxcapi_destroy(struct lxc_container
*c
);
87 static const char *lxcapi_get_config_path(struct lxc_container
*c
);
88 #define do_lxcapi_get_config_path(c) lxcapi_get_config_path(c)
89 static bool do_lxcapi_set_config_item(struct lxc_container
*c
, const char *key
, const char *v
);
90 static bool container_destroy(struct lxc_container
*c
,
91 struct lxc_storage
*storage
);
92 static bool get_snappath_dir(struct lxc_container
*c
, char *snappath
);
93 static bool lxcapi_snapshot_destroy_all(struct lxc_container
*c
);
94 static bool do_lxcapi_save_config(struct lxc_container
*c
, const char *alt_file
);
96 static bool config_file_exists(const char *lxcpath
, const char *cname
)
98 __do_free
char *fname
= NULL
;
102 /* $lxcpath + '/' + $cname + '/config' + \0 */
103 len
= strlen(lxcpath
) + 1 + strlen(cname
) + 1 + strlen(LXC_CONFIG_FNAME
) + 1;
104 fname
= must_realloc(NULL
, len
);
105 ret
= snprintf(fname
, len
, "%s/%s/%s", lxcpath
, cname
, LXC_CONFIG_FNAME
);
106 if (ret
< 0 || (size_t)ret
>= len
)
109 return file_exists(fname
);
113 * A few functions to help detect when a container creation failed. If a
114 * container creation was killed partway through, then trying to actually start
115 * that container could harm the host. We detect this by creating a 'partial'
116 * file under the container directory, and keeping an advisory lock. When
117 * container creation completes, we remove that file. When we load or try to
118 * start a container, if we find that file, without a flock, we remove the
122 LXC_CREATE_FAILED
= -1,
123 LXC_CREATE_SUCCESS
= 0,
124 LXC_CREATE_ONGOING
= 1,
125 LXC_CREATE_INCOMPLETE
= 2,
128 static int ongoing_create(struct lxc_container
*c
)
130 __do_close
int fd
= -EBADF
;
131 __do_free
char *path
= NULL
;
132 struct flock lk
= {0};
136 len
= strlen(c
->config_path
) + 1 + strlen(c
->name
) + 1 + strlen(LXC_PARTIAL_FNAME
) + 1;
137 path
= must_realloc(NULL
, len
);
138 ret
= snprintf(path
, len
, "%s/%s/%s", c
->config_path
, c
->name
, LXC_PARTIAL_FNAME
);
139 if (ret
< 0 || (size_t)ret
>= len
)
140 return LXC_CREATE_FAILED
;
142 fd
= open(path
, O_RDWR
| O_CLOEXEC
);
145 return LXC_CREATE_FAILED
;
147 return LXC_CREATE_SUCCESS
;
151 lk
.l_whence
= SEEK_SET
;
153 * F_OFD_GETLK requires that l_pid be set to 0 otherwise the kernel
158 ret
= fcntl(fd
, F_OFD_GETLK
, &lk
);
159 if (ret
< 0 && errno
== EINVAL
) {
160 ret
= flock(fd
, LOCK_EX
| LOCK_NB
);
161 if (ret
< 0 && errno
== EWOULDBLOCK
)
165 /* F_OFD_GETLK will not send us back a pid so don't check it. */
167 /* Create is still ongoing. */
168 return LXC_CREATE_ONGOING
;
170 /* Create completed but partial is still there. */
171 return LXC_CREATE_INCOMPLETE
;
174 static int create_partial(struct lxc_container
*c
)
176 __do_free
char *path
= NULL
;
179 struct flock lk
= {0};
181 /* $lxcpath + '/' + $name + '/partial' + \0 */
182 len
= strlen(c
->config_path
) + 1 + strlen(c
->name
) + 1 + strlen(LXC_PARTIAL_FNAME
) + 1;
183 path
= must_realloc(NULL
, len
);
184 ret
= snprintf(path
, len
, "%s/%s/%s", c
->config_path
, c
->name
, LXC_PARTIAL_FNAME
);
185 if (ret
< 0 || (size_t)ret
>= len
)
188 fd
= open(path
, O_RDWR
| O_CREAT
| O_EXCL
| O_CLOEXEC
, 0000);
193 lk
.l_whence
= SEEK_SET
;
195 ret
= fcntl(fd
, F_OFD_SETLKW
, &lk
);
197 if (errno
== EINVAL
) {
198 ret
= flock(fd
, LOCK_EX
);
203 SYSERROR("Failed to lock partial file %s", path
);
211 static void remove_partial(struct lxc_container
*c
, int fd
)
213 __do_free
char *path
= NULL
;
219 /* $lxcpath + '/' + $name + '/partial' + \0 */
220 len
= strlen(c
->config_path
) + 1 + strlen(c
->name
) + 1 + strlen(LXC_PARTIAL_FNAME
) + 1;
221 path
= must_realloc(NULL
, len
);
222 ret
= snprintf(path
, len
, "%s/%s/%s", c
->config_path
, c
->name
, LXC_PARTIAL_FNAME
);
223 if (ret
< 0 || (size_t)ret
>= len
)
228 SYSERROR("Failed to remove partial file %s", path
);
232 * 1. container_mem_lock(c) protects the struct lxc_container from multiple threads.
233 * 2. container_disk_lock(c) protects the on-disk container data - in particular the
234 * container configuration file.
235 * The container_disk_lock also takes the container_mem_lock.
236 * 3. thread_mutex protects process data (ex: fd table) from multiple threads.
237 * NOTHING mutexes two independent programs with their own struct
238 * lxc_container for the same c->name, between API calls. For instance,
239 * c->config_read(); c->start(); Between those calls, data on disk
240 * could change (which shouldn't bother the caller unless for instance
241 * the rootfs get moved). c->config_read(); update; c->config_write();
242 * Two such updaters could race. The callers should therefore check their
243 * results. Trying to prevent that would necessarily expose us to deadlocks
244 * due to hung callers. So I prefer to keep the locks only within our own
245 * functions, not across functions.
247 * If you're going to clone while holding a lxccontainer, increment
248 * c->numthreads (under privlock) before forking. When deleting,
249 * decrement numthreads under privlock, then if it hits 0 you can delete.
250 * Do not ever use a lxccontainer whose numthreads you did not bump.
252 static void lxc_container_free(struct lxc_container
*c
)
258 c
->configfile
= NULL
;
260 free(c
->error_string
);
261 c
->error_string
= NULL
;
264 lxc_putlock(c
->slock
);
269 lxc_putlock(c
->privlock
);
277 lxc_conf_free(c
->lxc_conf
);
281 free(c
->config_path
);
282 c
->config_path
= NULL
;
287 /* Consider the following case:
289 * |====================================================================|
290 * | freer | racing get()er |
291 * |====================================================================|
292 * | lxc_container_put() | lxc_container_get() |
293 * | \ lxclock(c->privlock) | c->numthreads < 1? (no) |
294 * | \ c->numthreads = 0 | \ lxclock(c->privlock) -> waits |
295 * | \ lxcunlock() | \ |
296 * | \ lxc_container_free() | \ lxclock() returns |
297 * | | \ c->numthreads < 1 -> return 0 |
298 * | \ \ (free stuff) | |
299 * | \ \ sem_destroy(privlock) | |
300 * |_______________________________|____________________________________|
302 * When the get()er checks numthreads the first time, one of the following
304 * 1. freer has set numthreads = 0. get() returns 0
305 * 2. freer is between lxclock and setting numthreads to 0. get()er will
306 * sem_wait on privlock, get lxclock after freer() drops it, then see
307 * numthreads is 0 and exit without touching lxclock again..
308 * 3. freer has not yet locked privlock. If get()er runs first, then put()er
309 * will see --numthreads = 1 and not call lxc_container_free().
312 int lxc_container_get(struct lxc_container
*c
)
317 /* If someone else has already started freeing the container, don't try
318 * to take the lock, which may be invalid.
320 if (c
->numthreads
< 1)
323 if (container_mem_lock(c
))
326 /* Bail without trying to unlock, bc the privlock is now probably in
329 if (c
->numthreads
< 1)
333 container_mem_unlock(c
);
338 int lxc_container_put(struct lxc_container
*c
)
343 if (container_mem_lock(c
))
348 if (c
->numthreads
< 1) {
349 container_mem_unlock(c
);
350 lxc_container_free(c
);
354 container_mem_unlock(c
);
358 static bool do_lxcapi_is_defined(struct lxc_container
*c
)
367 if (container_mem_lock(c
))
373 statret
= stat(c
->configfile
, &statbuf
);
380 container_mem_unlock(c
);
384 #define WRAP_API(rettype, fnname) \
385 static rettype fnname(struct lxc_container *c) \
388 bool reset_config = false; \
390 if (!current_config && c && c->lxc_conf) { \
391 current_config = c->lxc_conf; \
392 reset_config = true; \
395 ret = do_##fnname(c); \
397 current_config = NULL; \
402 #define WRAP_API_1(rettype, fnname, t1) \
403 static rettype fnname(struct lxc_container *c, t1 a1) \
406 bool reset_config = false; \
408 if (!current_config && c && c->lxc_conf) { \
409 current_config = c->lxc_conf; \
410 reset_config = true; \
413 ret = do_##fnname(c, a1); \
415 current_config = NULL; \
420 #define WRAP_API_2(rettype, fnname, t1, t2) \
421 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2) \
424 bool reset_config = false; \
426 if (!current_config && c && c->lxc_conf) { \
427 current_config = c->lxc_conf; \
428 reset_config = true; \
431 ret = do_##fnname(c, a1, a2); \
433 current_config = NULL; \
438 #define WRAP_API_3(rettype, fnname, t1, t2, t3) \
439 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2, t3 a3) \
442 bool reset_config = false; \
444 if (!current_config && c && c->lxc_conf) { \
445 current_config = c->lxc_conf; \
446 reset_config = true; \
449 ret = do_##fnname(c, a1, a2, a3); \
451 current_config = NULL; \
456 #define WRAP_API_6(rettype, fnname, t1, t2, t3, t4, t5, t6) \
457 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2, t3 a3, \
458 t4 a4, t5 a5, t6 a6) \
461 bool reset_config = false; \
463 if (!current_config && c && c->lxc_conf) { \
464 current_config = c->lxc_conf; \
465 reset_config = true; \
468 ret = do_##fnname(c, a1, a2, a3, a4, a5, a6); \
470 current_config = NULL; \
475 WRAP_API(bool, lxcapi_is_defined
)
477 static const char *do_lxcapi_state(struct lxc_container
*c
)
484 s
= lxc_getstate(c
->name
, c
->config_path
);
485 return lxc_state2str(s
);
488 WRAP_API(const char *, lxcapi_state
)
490 static bool is_stopped(struct lxc_container
*c
)
494 s
= lxc_getstate(c
->name
, c
->config_path
);
495 return (s
== STOPPED
);
498 static bool do_lxcapi_is_running(struct lxc_container
*c
)
503 return !is_stopped(c
);
506 WRAP_API(bool, lxcapi_is_running
)
508 static bool do_lxcapi_freeze(struct lxc_container
*c
)
512 if (!c
|| !c
->lxc_conf
)
515 s
= lxc_getstate(c
->name
, c
->config_path
);
517 return lxc_freeze(c
->lxc_conf
, c
->name
, c
->config_path
) == 0;
522 WRAP_API(bool, lxcapi_freeze
)
524 static bool do_lxcapi_unfreeze(struct lxc_container
*c
)
528 if (!c
|| !c
->lxc_conf
)
531 s
= lxc_getstate(c
->name
, c
->config_path
);
533 return lxc_unfreeze(c
->lxc_conf
, c
->name
, c
->config_path
) == 0;
538 WRAP_API(bool, lxcapi_unfreeze
)
540 static int do_lxcapi_console_getfd(struct lxc_container
*c
, int *ttynum
, int *ptxfd
)
545 return lxc_terminal_getfd(c
, ttynum
, ptxfd
);
548 WRAP_API_2(int, lxcapi_console_getfd
, int *, int *)
550 static int lxcapi_console(struct lxc_container
*c
, int ttynum
, int stdinfd
,
551 int stdoutfd
, int stderrfd
, int escape
)
558 current_config
= c
->lxc_conf
;
559 ret
= lxc_console(c
, ttynum
, stdinfd
, stdoutfd
, stderrfd
, escape
);
560 current_config
= NULL
;
565 static int do_lxcapi_console_log(struct lxc_container
*c
, struct lxc_console_log
*log
)
572 ret
= lxc_cmd_console_log(c
->name
, do_lxcapi_get_config_path(c
), log
);
575 NOTICE("The console log is empty");
576 else if (ret
== -EFAULT
)
577 NOTICE("The container does not keep a console log");
578 else if (ret
== -ENOENT
)
579 NOTICE("The container does not keep a console log file");
580 else if (ret
== -EIO
)
581 NOTICE("Failed to write console log to log file");
583 ERROR("Failed to retrieve console log");
589 WRAP_API_1(int, lxcapi_console_log
, struct lxc_console_log
*)
591 static pid_t
do_lxcapi_init_pid(struct lxc_container
*c
)
596 return lxc_cmd_get_init_pid(c
->name
, c
->config_path
);
599 WRAP_API(pid_t
, lxcapi_init_pid
)
601 static int do_lxcapi_init_pidfd(struct lxc_container
*c
)
604 return ret_errno(EBADF
);
606 return lxc_cmd_get_init_pidfd(c
->name
, c
->config_path
);
609 WRAP_API(int, lxcapi_init_pidfd
)
611 static bool load_config_locked(struct lxc_container
*c
, const char *fname
)
614 c
->lxc_conf
= lxc_conf_init();
619 if (lxc_config_read(fname
, c
->lxc_conf
, false) != 0)
622 c
->lxc_conf
->name
= c
->name
;
626 static bool do_lxcapi_load_config(struct lxc_container
*c
, const char *alt_file
)
630 bool need_disklock
= false, ret
= false;
635 fname
= c
->configfile
;
643 /* If we're reading something other than the container's config, we only
644 * need to lock the in-memory container. If loading the container's
645 * config file, take the disk lock.
647 if (strcmp(fname
, c
->configfile
) == 0)
648 need_disklock
= true;
651 lret
= container_disk_lock(c
);
653 lret
= container_mem_lock(c
);
657 ret
= load_config_locked(c
, fname
);
660 container_disk_unlock(c
);
662 container_mem_unlock(c
);
667 WRAP_API_1(bool, lxcapi_load_config
, const char *)
669 static bool do_lxcapi_want_daemonize(struct lxc_container
*c
, bool state
)
671 if (!c
|| !c
->lxc_conf
)
674 if (container_mem_lock(c
))
677 c
->daemonize
= state
;
679 container_mem_unlock(c
);
684 WRAP_API_1(bool, lxcapi_want_daemonize
, bool)
686 static bool do_lxcapi_want_close_all_fds(struct lxc_container
*c
, bool state
)
688 if (!c
|| !c
->lxc_conf
)
691 if (container_mem_lock(c
))
694 c
->lxc_conf
->close_all_fds
= state
;
696 container_mem_unlock(c
);
701 WRAP_API_1(bool, lxcapi_want_close_all_fds
, bool)
703 static bool do_lxcapi_wait(struct lxc_container
*c
, const char *state
,
711 ret
= lxc_wait(c
->name
, state
, timeout
, c
->config_path
);
715 WRAP_API_2(bool, lxcapi_wait
, const char *, int)
717 static bool am_single_threaded(void)
719 __do_closedir
DIR *dir
= NULL
;
720 struct dirent
*direntp
;
723 dir
= opendir("/proc/self/task");
727 while ((direntp
= readdir(dir
))) {
728 if (strcmp(direntp
->d_name
, ".") == 0)
731 if (strcmp(direntp
->d_name
, "..") == 0)
742 static void push_arg(char ***argp
, char *arg
, int *nargs
)
747 copy
= must_copy_string(arg
);
750 argv
= realloc(*argp
, (*nargs
+ 2) * sizeof(char *));
759 static char **split_init_cmd(const char *incmd
)
761 __do_free
char *copy
= NULL
;
769 copy
= must_copy_string(incmd
);
772 argv
= malloc(sizeof(char *));
776 lxc_iterate_parts (p
, copy
, " ")
777 push_arg(&argv
, p
, &nargs
);
787 static void free_init_cmd(char **argv
)
800 static int lxc_rcv_status(int state_socket
)
806 /* Receive container state. */
807 ret
= lxc_abstract_unix_rcv_credential(state_socket
, &state
, sizeof(int));
812 TRACE("Caught EINTR; retrying");
819 static bool wait_on_daemonized_start(struct lxc_handler
*handler
, int pid
)
823 /* The first child is going to fork() again and then exits. So we reap
824 * the first child here.
826 ret
= wait_for_pid(pid
);
828 DEBUG("Failed waiting on first child %d", pid
);
830 DEBUG("First child %d exited", pid
);
832 /* Close write end of the socket pair. */
833 close_prot_errno_disarm(handler
->state_socket_pair
[1]);
835 state
= lxc_rcv_status(handler
->state_socket_pair
[0]);
837 /* Close read end of the socket pair. */
838 close_prot_errno_disarm(handler
->state_socket_pair
[0]);
841 SYSERROR("Failed to receive the container state");
845 /* If we receive anything else then running we know that the container
848 if (state
!= RUNNING
) {
849 ERROR("Received container state \"%s\" instead of \"RUNNING\"",
850 lxc_state2str(state
));
854 TRACE("Container is in \"RUNNING\" state");
858 static bool do_lxcapi_start(struct lxc_container
*c
, int useinit
, char * const argv
[])
861 struct lxc_handler
*handler
;
862 struct lxc_conf
*conf
;
863 char *default_args
[] = {
867 char **init_cmd
= NULL
;
869 /* container does exist */
873 /* If anything fails before we set error_num, we want an error in there.
877 /* Container has not been setup. */
881 ret
= ongoing_create(c
);
883 case LXC_CREATE_FAILED
:
884 ERROR("Failed checking for incomplete container creation");
886 case LXC_CREATE_ONGOING
:
887 ERROR("Ongoing container creation detected");
889 case LXC_CREATE_INCOMPLETE
:
890 ERROR("Failed to create container");
891 do_lxcapi_destroy(c
);
895 if (container_mem_lock(c
))
900 /* initialize handler */
901 handler
= lxc_init_handler(NULL
, c
->name
, conf
, c
->config_path
, c
->daemonize
);
903 container_mem_unlock(c
);
908 if (useinit
&& conf
->execute_cmd
)
909 argv
= init_cmd
= split_init_cmd(conf
->execute_cmd
);
911 argv
= init_cmd
= split_init_cmd(conf
->init_cmd
);
914 /* ... otherwise use default_args. */
917 ERROR("No valid init detected");
918 lxc_put_handler(handler
);
924 /* I'm not sure what locks we want here.Any? Is liblxc's locking enough
925 * here to protect the on disk container? We don't want to exclude
926 * things like lxc_info while the container is running.
931 pid_t pid_first
, pid_second
;
935 free_init_cmd(init_cmd
);
936 lxc_put_handler(handler
);
941 if (pid_first
!= 0) {
942 /* Set to NULL because we don't want father unlink
943 * the PID file, child will do the free and unlink.
947 /* Wait for container to tell us whether it started
950 started
= wait_on_daemonized_start(handler
, pid_first
);
952 free_init_cmd(init_cmd
);
953 lxc_put_handler(handler
);
959 /* We don't really care if this doesn't print all the
960 * characters. All that it means is that the proctitle will be
961 * ugly. Similarly, we also don't care if setproctitle() fails.
963 ret
= snprintf(title
, sizeof(title
), "[lxc monitor] %s %s", c
->config_path
, c
->name
);
965 ret
= setproctitle(title
);
967 INFO("Failed to set process title to %s", title
);
969 INFO("Set process title to %s", title
);
972 /* We fork() a second time to be reparented to init. Like
973 * POSIX's daemon() function we change to "/" and redirect
974 * std{in,out,err} to /dev/null.
977 if (pid_second
< 0) {
978 SYSERROR("Failed to fork first child process");
983 if (pid_second
!= 0) {
984 free_init_cmd(init_cmd
);
985 lxc_put_handler(handler
);
991 /* change to / directory */
994 SYSERROR("Failed to change to \"/\" directory");
998 ret
= inherit_fds(handler
, true);
1000 _exit(EXIT_FAILURE
);
1002 /* redirect std{in,out,err} to /dev/null */
1003 ret
= null_stdfds();
1005 ERROR("Failed to redirect std{in,out,err} to /dev/null");
1006 _exit(EXIT_FAILURE
);
1009 /* become session leader */
1012 TRACE("Process %d is already process group leader", lxc_raw_getpid());
1013 } else if (!am_single_threaded()) {
1014 ERROR("Cannot start non-daemonized container when threaded");
1015 free_init_cmd(init_cmd
);
1016 lxc_put_handler(handler
);
1020 /* We need to write PID file after daemonize, so we always write the
1025 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
1027 w
= snprintf(pidstr
, sizeof(pidstr
), "%d", lxc_raw_getpid());
1028 if (w
< 0 || (size_t)w
>= sizeof(pidstr
)) {
1029 free_init_cmd(init_cmd
);
1030 lxc_put_handler(handler
);
1032 SYSERROR("Failed to write monitor pid to \"%s\"", c
->pidfile
);
1035 _exit(EXIT_FAILURE
);
1040 ret
= lxc_write_to_file(c
->pidfile
, pidstr
, w
, false, 0600);
1042 free_init_cmd(init_cmd
);
1043 lxc_put_handler(handler
);
1045 SYSERROR("Failed to write monitor pid to \"%s\"", c
->pidfile
);
1048 _exit(EXIT_FAILURE
);
1054 conf
->reboot
= REBOOT_NONE
;
1056 /* Unshare the mount namespace if requested */
1057 if (conf
->monitor_unshare
) {
1058 ret
= unshare(CLONE_NEWNS
);
1060 SYSERROR("Failed to unshare mount namespace");
1061 lxc_put_handler(handler
);
1066 ret
= mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
1068 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
1069 lxc_put_handler(handler
);
1076 if (conf
->reboot
== REBOOT_INIT
) {
1077 /* initialize handler */
1078 handler
= lxc_init_handler(handler
, c
->name
, conf
, c
->config_path
, c
->daemonize
);
1085 ret
= inherit_fds(handler
, c
->daemonize
);
1087 lxc_put_handler(handler
);
1093 ret
= lxc_execute(c
->name
, argv
, 1, handler
, c
->config_path
,
1094 c
->daemonize
, &c
->error_num
);
1096 ret
= lxc_start(argv
, handler
, c
->config_path
, c
->daemonize
,
1099 if (conf
->reboot
== REBOOT_REQ
) {
1100 INFO("Container requested reboot");
1101 conf
->reboot
= REBOOT_INIT
;
1111 free_init_cmd(init_cmd
);
1113 if (c
->daemonize
&& ret
!= 0)
1114 _exit(EXIT_FAILURE
);
1115 else if (c
->daemonize
)
1116 _exit(EXIT_SUCCESS
);
1124 static bool lxcapi_start(struct lxc_container
*c
, int useinit
,
1129 current_config
= c
? c
->lxc_conf
: NULL
;
1130 ret
= do_lxcapi_start(c
, useinit
, argv
);
1131 current_config
= NULL
;
1136 /* Note, there MUST be an ending NULL. */
1137 static bool lxcapi_startl(struct lxc_container
*c
, int useinit
, ...)
1140 char **inargs
= NULL
;
1143 /* container exists */
1147 current_config
= c
->lxc_conf
;
1149 va_start(ap
, useinit
);
1150 inargs
= lxc_va_arg_list_to_argv(ap
, 0, 1);
1155 /* pass NULL if no arguments were supplied */
1156 bret
= do_lxcapi_start(c
, useinit
, *inargs
? inargs
: NULL
);
1162 for (arg
= inargs
; *arg
; arg
++)
1167 current_config
= NULL
;
1172 static bool do_lxcapi_stop(struct lxc_container
*c
)
1179 ret
= lxc_cmd_stop(c
->name
, c
->config_path
);
1184 WRAP_API(bool, lxcapi_stop
)
1186 static int do_create_container_dir(const char *path
, struct lxc_conf
*conf
)
1191 mode_t mask
= umask(0002);
1192 ret
= mkdir(path
, 0770);
1197 if (errno
!= EEXIST
)
1203 if (!lxc_list_empty(&conf
->id_map
)) {
1204 ret
= chown_mapped_root(path
, conf
);
1212 /* Create the standard expected container dir. */
1213 static bool create_container_dir(struct lxc_container
*c
)
1219 len
= strlen(c
->config_path
) + strlen(c
->name
) + 2;
1224 ret
= snprintf(s
, len
, "%s/%s", c
->config_path
, c
->name
);
1225 if (ret
< 0 || (size_t)ret
>= len
) {
1230 ret
= do_create_container_dir(s
, c
->lxc_conf
);
1236 /* do_storage_create: thin wrapper around storage_create(). Like
1237 * storage_create(), it returns a mounted bdev on success, NULL on error.
1239 static struct lxc_storage
*do_storage_create(struct lxc_container
*c
,
1241 struct bdev_specs
*specs
)
1243 __do_free
char *dest
= NULL
;
1246 struct lxc_storage
*bdev
;
1248 /* rootfs.path or lxcpath/lxcname/rootfs */
1249 if (c
->lxc_conf
->rootfs
.path
&&
1250 (access(c
->lxc_conf
->rootfs
.path
, F_OK
) == 0)) {
1251 const char *rpath
= c
->lxc_conf
->rootfs
.path
;
1252 len
= strlen(rpath
) + 1;
1253 dest
= must_realloc(NULL
, len
);
1254 ret
= snprintf(dest
, len
, "%s", rpath
);
1256 const char *lxcpath
= do_lxcapi_get_config_path(c
);
1257 len
= strlen(c
->name
) + 1 + strlen(lxcpath
) + 1 + strlen(LXC_ROOTFS_DNAME
) + 1;
1258 dest
= must_realloc(NULL
, len
);
1259 ret
= snprintf(dest
, len
, "%s/%s/%s", lxcpath
, c
->name
, LXC_ROOTFS_DNAME
);
1261 if (ret
< 0 || (size_t)ret
>= len
)
1264 bdev
= storage_create(dest
, type
, c
->name
, specs
, c
->lxc_conf
);
1266 ERROR("Failed to create \"%s\" storage", type
);
1270 if (!c
->set_config_item(c
, "lxc.rootfs.path", bdev
->src
)) {
1271 ERROR("Failed to set \"lxc.rootfs.path = %s\"", bdev
->src
);
1276 /* If we are not root, chown the rootfs dir to root in the target user
1279 if (am_guest_unpriv() || !lxc_list_empty(&c
->lxc_conf
->id_map
)) {
1280 ret
= chown_mapped_root(bdev
->dest
, c
->lxc_conf
);
1282 ERROR("Error chowning \"%s\" to container root", bdev
->dest
);
1283 suggest_default_idmap();
1292 /* Strip path and return name of file for argv[0] passed to execvp */
1293 static char *lxctemplatefilename(char *tpath
)
1297 p
= tpath
+ strlen(tpath
) - 1;
1298 while ( (p
-1) >= tpath
&& *(p
-1) != '/')
1304 static bool create_run_template(struct lxc_container
*c
, char *tpath
,
1305 bool need_null_stdfds
, char *const argv
[])
1315 SYSERROR("Failed to fork task for container creation template");
1319 if (pid
== 0) { /* child */
1321 char *namearg
, *patharg
, *rootfsarg
;
1324 struct lxc_storage
*bdev
= NULL
;
1325 struct lxc_conf
*conf
= c
->lxc_conf
;
1328 if (need_null_stdfds
) {
1329 ret
= null_stdfds();
1331 _exit(EXIT_FAILURE
);
1334 bdev
= storage_init(c
->lxc_conf
);
1336 ERROR("Failed to initialize storage");
1337 _exit(EXIT_FAILURE
);
1342 ret
= unshare(CLONE_NEWNS
);
1344 ERROR("Failed to unshare CLONE_NEWNS");
1345 _exit(EXIT_FAILURE
);
1348 if (detect_shared_rootfs() && mount(NULL
, "/", NULL
, MS_SLAVE
| MS_REC
, NULL
))
1349 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
1352 if (strcmp(bdev
->type
, "dir") != 0 && strcmp(bdev
->type
, "btrfs") != 0) {
1354 ERROR("Unprivileged users can only create "
1355 "btrfs and directory-backed containers");
1356 _exit(EXIT_FAILURE
);
1359 if (strcmp(bdev
->type
, "overlay") == 0 ||
1360 strcmp(bdev
->type
, "overlayfs") == 0) {
1361 /* If we create an overlay container we need to
1362 * rsync the contents into
1363 * <container-path>/<container-name>/rootfs.
1364 * However, the overlay mount function will
1366 * <container-path>/<container-name>/delta0
1368 * <container-path>/<container-name>/rootfs
1369 * which means we would rsync the rootfs into
1370 * the delta directory. That doesn't make sense
1371 * since the delta directory only exists to
1372 * record the differences to
1373 * <container-path>/<container-name>/rootfs. So
1374 * let's simply bind-mount here and then rsync
1376 * <container-path>/<container-name>/rootfs.
1380 src
= ovl_get_rootfs(bdev
->src
, &(size_t){0});
1382 ERROR("Failed to get rootfs");
1383 _exit(EXIT_FAILURE
);
1386 ret
= mount(src
, bdev
->dest
, "bind", MS_BIND
| MS_REC
, NULL
);
1388 ERROR("Failed to mount rootfs");
1389 _exit(EXIT_FAILURE
);
1392 ret
= bdev
->ops
->mount(bdev
);
1394 ERROR("Failed to mount rootfs");
1395 _exit(EXIT_FAILURE
);
1398 } else { /* TODO come up with a better way here! */
1401 src
= lxc_storage_get_path(bdev
->src
, bdev
->type
);
1402 bdev
->dest
= strdup(src
);
1405 /* Create our new array, pre-pend the template name and base
1409 for (nargs
= 0; argv
[nargs
]; nargs
++)
1412 /* template, path, rootfs and name args */
1415 newargv
= malloc(nargs
* sizeof(*newargv
));
1417 _exit(EXIT_FAILURE
);
1418 newargv
[0] = lxctemplatefilename(tpath
);
1421 len
= strlen(c
->config_path
) + strlen(c
->name
) + strlen("--path=") + 2;
1422 patharg
= malloc(len
);
1424 _exit(EXIT_FAILURE
);
1426 ret
= snprintf(patharg
, len
, "--path=%s/%s", c
->config_path
, c
->name
);
1427 if (ret
< 0 || ret
>= len
)
1428 _exit(EXIT_FAILURE
);
1429 newargv
[1] = patharg
;
1432 len
= strlen("--name=") + strlen(c
->name
) + 1;
1433 namearg
= malloc(len
);
1435 _exit(EXIT_FAILURE
);
1437 ret
= snprintf(namearg
, len
, "--name=%s", c
->name
);
1438 if (ret
< 0 || ret
>= len
)
1439 _exit(EXIT_FAILURE
);
1440 newargv
[2] = namearg
;
1443 len
= strlen("--rootfs=") + 1 + strlen(bdev
->dest
);
1444 rootfsarg
= malloc(len
);
1446 _exit(EXIT_FAILURE
);
1448 ret
= snprintf(rootfsarg
, len
, "--rootfs=%s", bdev
->dest
);
1449 if (ret
< 0 || ret
>= len
)
1450 _exit(EXIT_FAILURE
);
1451 newargv
[3] = rootfsarg
;
1453 /* add passed-in args */
1455 for (i
= 4; i
< nargs
; i
++)
1456 newargv
[i
] = argv
[i
- 4];
1458 /* add trailing NULL */
1460 newargv
= realloc(newargv
, nargs
* sizeof(*newargv
));
1462 _exit(EXIT_FAILURE
);
1463 newargv
[nargs
- 1] = NULL
;
1465 /* If we're running the template in a mapped userns, then we
1466 * prepend the template command with: lxc-usernsexec <-m map1>
1467 * ... <-m mapn> -- and we append "--mapped-uid x", where x is
1468 * the mapped uid for our geteuid()
1470 if (!lxc_list_empty(&conf
->id_map
)) {
1471 int extraargs
, hostuid_mapped
, hostgid_mapped
;
1473 char txtuid
[20], txtgid
[20];
1474 struct lxc_list
*it
;
1478 n2
= malloc(n2args
* sizeof(*n2
));
1480 _exit(EXIT_FAILURE
);
1483 tpath
= "lxc-usernsexec";
1484 n2
[0] = "lxc-usernsexec";
1486 lxc_list_for_each(it
, &conf
->id_map
) {
1489 n2
= realloc(n2
, n2args
* sizeof(char *));
1491 _exit(EXIT_FAILURE
);
1493 n2
[n2args
- 2] = "-m";
1494 n2
[n2args
- 1] = malloc(200);
1495 if (!n2
[n2args
- 1])
1496 _exit(EXIT_FAILURE
);
1498 ret
= snprintf(n2
[n2args
- 1], 200, "%c:%lu:%lu:%lu",
1499 map
->idtype
== ID_TYPE_UID
? 'u' : 'g',
1500 map
->nsid
, map
->hostid
, map
->range
);
1501 if (ret
< 0 || ret
>= 200)
1502 _exit(EXIT_FAILURE
);
1505 hostuid_mapped
= mapped_hostid(geteuid(), conf
, ID_TYPE_UID
);
1506 extraargs
= hostuid_mapped
>= 0 ? 1 : 3;
1508 n2
= realloc(n2
, (nargs
+ n2args
+ extraargs
) * sizeof(char *));
1510 _exit(EXIT_FAILURE
);
1512 if (hostuid_mapped
< 0) {
1513 hostuid_mapped
= find_unmapped_nsid(conf
, ID_TYPE_UID
);
1514 n2
[n2args
++] = "-m";
1515 if (hostuid_mapped
< 0) {
1516 ERROR("Failed to find free uid to map");
1517 _exit(EXIT_FAILURE
);
1520 n2
[n2args
++] = malloc(200);
1521 if (!n2
[n2args
- 1]) {
1522 SYSERROR("out of memory");
1523 _exit(EXIT_FAILURE
);
1526 ret
= snprintf(n2
[n2args
- 1], 200, "u:%d:%d:1",
1527 hostuid_mapped
, geteuid());
1528 if (ret
< 0 || ret
>= 200)
1529 _exit(EXIT_FAILURE
);
1532 hostgid_mapped
= mapped_hostid(getegid(), conf
, ID_TYPE_GID
);
1533 extraargs
= hostgid_mapped
>= 0 ? 1 : 3;
1535 n2
= realloc(n2
, (nargs
+ n2args
+ extraargs
) * sizeof(char *));
1537 _exit(EXIT_FAILURE
);
1539 if (hostgid_mapped
< 0) {
1540 hostgid_mapped
= find_unmapped_nsid(conf
, ID_TYPE_GID
);
1541 n2
[n2args
++] = "-m";
1542 if (hostgid_mapped
< 0) {
1543 ERROR("Failed to find free gid to map");
1544 _exit(EXIT_FAILURE
);
1547 n2
[n2args
++] = malloc(200);
1548 if (!n2
[n2args
- 1]) {
1549 SYSERROR("out of memory");
1550 _exit(EXIT_FAILURE
);
1553 ret
= snprintf(n2
[n2args
- 1], 200, "g:%d:%d:1",
1554 hostgid_mapped
, getegid());
1555 if (ret
< 0 || ret
>= 200)
1556 _exit(EXIT_FAILURE
);
1559 n2
[n2args
++] = "--";
1561 for (i
= 0; i
< nargs
; i
++)
1562 n2
[i
+ n2args
] = newargv
[i
];
1565 /* Finally add "--mapped-uid $uid" to tell template what
1566 * to chown cached images to.
1569 n2
= realloc(n2
, n2args
* sizeof(char *));
1571 _exit(EXIT_FAILURE
);
1573 /* note n2[n2args-1] is NULL */
1574 n2
[n2args
- 5] = "--mapped-uid";
1576 ret
= snprintf(txtuid
, 20, "%d", hostuid_mapped
);
1577 if (ret
< 0 || ret
>= 20) {
1580 _exit(EXIT_FAILURE
);
1583 n2
[n2args
- 4] = txtuid
;
1584 n2
[n2args
- 3] = "--mapped-gid";
1586 ret
= snprintf(txtgid
, 20, "%d", hostgid_mapped
);
1587 if (ret
< 0 || ret
>= 20) {
1590 _exit(EXIT_FAILURE
);
1593 n2
[n2args
- 2] = txtgid
;
1594 n2
[n2args
- 1] = NULL
;
1599 execvp(tpath
, newargv
);
1600 SYSERROR("Failed to execute template %s", tpath
);
1601 _exit(EXIT_FAILURE
);
1604 ret
= wait_for_pid(pid
);
1606 ERROR("Failed to create container from template");
1613 static bool prepend_lxc_header(char *path
, const char *t
, char *const argv
[])
1622 unsigned int md_len
= 0;
1623 unsigned char md_value
[EVP_MAX_MD_SIZE
];
1627 f
= fopen(path
, "re");
1631 ret
= fseek(f
, 0, SEEK_END
);
1640 ret
= fseek(f
, 0, SEEK_SET
);
1644 ret
= fseek(f
, 0, SEEK_SET
);
1649 contents
= malloc(flen
+ 1);
1653 len
= fread(contents
, 1, flen
, f
);
1655 goto out_free_contents
;
1657 contents
[flen
] = '\0';
1662 goto out_free_contents
;
1665 tpath
= get_template_path(t
);
1667 ERROR("Invalid template \"%s\" specified", t
);
1668 goto out_free_contents
;
1671 ret
= sha1sum_file(tpath
, md_value
, &md_len
);
1673 ERROR("Failed to get sha1sum of %s", tpath
);
1675 goto out_free_contents
;
1680 f
= fopen(path
, "we");
1682 SYSERROR("Reopening config for writing");
1687 fprintf(f
, "# Template used to create this container: %s\n", t
);
1689 fprintf(f
, "# Parameters passed to the template:");
1691 fprintf(f
, " %s", *argv
);
1698 fprintf(f
, "# Template script checksum (SHA-1): ");
1699 for (i
=0; i
<md_len
; i
++)
1700 fprintf(f
, "%02x", md_value
[i
]);
1703 fprintf(f
, "# For additional config options, please look at lxc.container.conf(5)\n");
1704 fprintf(f
, "\n# Uncomment the following line to support nesting containers:\n");
1705 fprintf(f
, "#lxc.include = " LXCTEMPLATECONFIG
"/nesting.conf\n");
1706 fprintf(f
, "# (Be aware this has security implications)\n\n");
1707 if (fwrite(contents
, 1, flen
, f
) != flen
) {
1708 SYSERROR("Writing original contents");
1728 SYSERROR("Error prepending header");
1735 static void lxcapi_clear_config(struct lxc_container
*c
)
1737 if (!c
|| !c
->lxc_conf
)
1740 lxc_conf_free(c
->lxc_conf
);
1744 #define do_lxcapi_clear_config(c) lxcapi_clear_config(c)
1748 * create a container with the given parameters.
1749 * @c: container to be created. It has the lxcpath, name, and a starting
1750 * configuration already set
1751 * @t: the template to execute to instantiate the root filesystem and
1752 * adjust the configuration.
1753 * @bdevtype: backing store type to use. If NULL, dir will be used.
1754 * @specs: additional parameters for the backing store, i.e. LVM vg to
1757 * @argv: the arguments to pass to the template, terminated by NULL. If no
1758 * arguments, you can just pass NULL.
1760 static bool do_lxcapi_create(struct lxc_container
*c
, const char *t
,
1761 const char *bdevtype
, struct bdev_specs
*specs
,
1762 int flags
, char *const argv
[])
1767 bool ret
= false, rootfs_managed
= true;
1774 tpath
= get_template_path(t
);
1776 ERROR("Unknown template \"%s\"", t
);
1781 /* If a template is passed in, and the rootfs already is defined in the
1782 * container config and exists, then the caller is trying to create an
1783 * existing container. Return an error, but do NOT delete the container.
1785 if (do_lxcapi_is_defined(c
) && c
->lxc_conf
&& c
->lxc_conf
->rootfs
.path
&&
1786 access(c
->lxc_conf
->rootfs
.path
, F_OK
) == 0 && tpath
) {
1787 ERROR("Container \"%s\" already exists in \"%s\"", c
->name
,
1793 if (!do_lxcapi_load_config(c
, lxc_global_config_value("lxc.default_config"))) {
1794 ERROR("Error loading default configuration file %s",
1795 lxc_global_config_value("lxc.default_config"));
1800 if (!create_container_dir(c
))
1803 if (c
->lxc_conf
->rootfs
.path
)
1804 rootfs_managed
= false;
1806 /* If both template and rootfs.path are set, template is setup as
1807 * rootfs.path. The container is already created if we have a config and
1808 * rootfs.path is accessible
1810 if (!c
->lxc_conf
->rootfs
.path
&& !tpath
) {
1811 /* No template passed in and rootfs does not exist. */
1812 if (!c
->save_config(c
, NULL
)) {
1813 ERROR("Failed to save initial config for \"%s\"", c
->name
);
1820 /* Rootfs passed into configuration, but does not exist. */
1821 if (c
->lxc_conf
->rootfs
.path
&& access(c
->lxc_conf
->rootfs
.path
, F_OK
) != 0)
1824 if (do_lxcapi_is_defined(c
) && c
->lxc_conf
->rootfs
.path
&& !tpath
) {
1825 /* Rootfs already existed, user just wanted to save the loaded
1828 if (!c
->save_config(c
, NULL
))
1829 ERROR("Failed to save initial config for \"%s\"", c
->name
);
1835 /* Mark that this container is being created */
1836 partial_fd
= create_partial(c
);
1840 /* No need to get disk lock bc we have the partial lock. */
1844 /* Create the storage.
1845 * Note we can't do this in the same task as we use to execute the
1846 * template because of the way zfs works.
1847 * After you 'zfs create', zfs mounts the fs only in the initial
1852 SYSERROR("Failed to fork task for container creation template");
1856 if (pid
== 0) { /* child */
1857 struct lxc_storage
*bdev
= NULL
;
1859 bdev
= do_storage_create(c
, bdevtype
, specs
);
1861 ERROR("Failed to create %s storage for %s",
1862 bdevtype
? bdevtype
: "(none)", c
->name
);
1863 _exit(EXIT_FAILURE
);
1866 /* Save config file again to store the new rootfs location. */
1867 if (!do_lxcapi_save_config(c
, NULL
)) {
1868 ERROR("Failed to save initial config for %s", c
->name
);
1869 /* Parent task won't see the storage driver in the
1870 * config so we delete it.
1872 bdev
->ops
->umount(bdev
);
1873 bdev
->ops
->destroy(bdev
);
1874 _exit(EXIT_FAILURE
);
1877 _exit(EXIT_SUCCESS
);
1880 if (wait_for_pid(pid
) != 0)
1883 /* Reload config to get the rootfs. */
1884 lxc_conf_free(c
->lxc_conf
);
1887 if (!load_config_locked(c
, c
->configfile
))
1890 if (!create_run_template(c
, tpath
, !!(flags
& LXC_CREATE_QUIET
), argv
))
1893 /* Now clear out the lxc_conf we have, reload from the created
1896 do_lxcapi_clear_config(c
);
1899 if (!prepend_lxc_header(c
->configfile
, tpath
, argv
)) {
1900 ERROR("Failed to prepend header to config file");
1905 ret
= load_config_locked(c
, c
->configfile
);
1909 remove_partial(c
, partial_fd
);
1913 bool reset_managed
= c
->lxc_conf
->rootfs
.managed
;
1916 * Ensure that we don't destroy storage we didn't create
1919 if (!rootfs_managed
)
1920 c
->lxc_conf
->rootfs
.managed
= false;
1921 container_destroy(c
, NULL
);
1922 c
->lxc_conf
->rootfs
.managed
= reset_managed
;
1930 static bool lxcapi_create(struct lxc_container
*c
, const char *t
,
1931 const char *bdevtype
, struct bdev_specs
*specs
,
1932 int flags
, char *const argv
[])
1936 current_config
= c
? c
->lxc_conf
: NULL
;
1938 ret
= do_lxcapi_create(c
, t
, bdevtype
, specs
, flags
, argv
);
1939 current_config
= NULL
;
1943 static bool do_lxcapi_reboot(struct lxc_container
*c
)
1945 __do_close
int pidfd
= -EBADF
;
1948 int rebootsignal
= SIGINT
;
1953 if (!do_lxcapi_is_running(c
))
1956 pidfd
= do_lxcapi_init_pidfd(c
);
1958 pid
= do_lxcapi_init_pid(c
);
1963 if (c
->lxc_conf
&& c
->lxc_conf
->rebootsignal
)
1964 rebootsignal
= c
->lxc_conf
->rebootsignal
;
1967 ret
= lxc_raw_pidfd_send_signal(pidfd
, rebootsignal
, NULL
, 0);
1969 ret
= kill(pid
, rebootsignal
);
1971 return log_warn(false, "Failed to send signal %d to pid %d",
1977 WRAP_API(bool, lxcapi_reboot
)
1979 static bool do_lxcapi_reboot2(struct lxc_container
*c
, int timeout
)
1981 __do_close
int pidfd
= -EBADF
, state_client_fd
= -EBADF
;
1982 int rebootsignal
= SIGINT
;
1984 lxc_state_t states
[MAX_STATE
] = {0};
1990 if (!do_lxcapi_is_running(c
))
1993 pidfd
= do_lxcapi_init_pidfd(c
);
1995 pid
= do_lxcapi_init_pid(c
);
2000 if (c
->lxc_conf
&& c
->lxc_conf
->rebootsignal
)
2001 rebootsignal
= c
->lxc_conf
->rebootsignal
;
2003 /* Add a new state client before sending the shutdown signal so that we
2004 * don't miss a state.
2007 states
[RUNNING
] = 2;
2008 ret
= lxc_cmd_add_state_client(c
->name
, c
->config_path
, states
,
2013 if (state_client_fd
< 0)
2019 if (ret
< MAX_STATE
)
2023 /* Send reboot signal to container. */
2025 killret
= lxc_raw_pidfd_send_signal(pidfd
, rebootsignal
, NULL
, 0);
2027 killret
= kill(pid
, rebootsignal
);
2029 return log_warn(false, "Failed to send signal %d to pid %d", rebootsignal
, pid
);
2030 TRACE("Sent signal %d to pid %d", rebootsignal
, pid
);
2035 ret
= lxc_cmd_sock_rcv_state(state_client_fd
, timeout
);
2039 TRACE("Received state \"%s\"", lxc_state2str(ret
));
2046 WRAP_API_1(bool, lxcapi_reboot2
, int)
2048 static bool do_lxcapi_shutdown(struct lxc_container
*c
, int timeout
)
2050 __do_close
int pidfd
= -EBADF
, state_client_fd
= -EBADF
;
2051 int haltsignal
= SIGPWR
;
2053 lxc_state_t states
[MAX_STATE
] = {0};
2059 if (!do_lxcapi_is_running(c
))
2062 pidfd
= do_lxcapi_init_pidfd(c
);
2063 pid
= do_lxcapi_init_pid(c
);
2067 /* Detect whether we should send SIGRTMIN + 3 (e.g. systemd). */
2068 if (c
->lxc_conf
&& c
->lxc_conf
->haltsignal
)
2069 haltsignal
= c
->lxc_conf
->haltsignal
;
2070 else if (task_blocks_signal(pid
, (SIGRTMIN
+ 3)))
2071 haltsignal
= (SIGRTMIN
+ 3);
2075 * Add a new state client before sending the shutdown signal so
2076 * that we don't miss a state.
2079 states
[STOPPED
] = 1;
2080 ret
= lxc_cmd_add_state_client(c
->name
, c
->config_path
, states
,
2085 if (state_client_fd
< 0)
2091 if (ret
< MAX_STATE
)
2096 struct pollfd pidfd_poll
= {
2101 killret
= lxc_raw_pidfd_send_signal(pidfd
, haltsignal
,
2104 return log_warn(false, "Failed to send signal %d to pidfd %d",
2107 TRACE("Sent signal %d to pidfd %d", haltsignal
, pidfd
);
2110 * No need for going through all of the state server
2111 * complications anymore. We can just poll on pidfds. :)
2115 ret
= poll(&pidfd_poll
, 1, timeout
* 1000);
2116 if (ret
< 0 || !(pidfd_poll
.revents
& POLLIN
))
2119 TRACE("Pidfd polling detected container exit");
2122 killret
= kill(pid
, haltsignal
);
2124 return log_warn(false, "Failed to send signal %d to pid %d",
2127 TRACE("Sent signal %d to pid %d", haltsignal
, pid
);
2133 ret
= lxc_cmd_sock_rcv_state(state_client_fd
, timeout
);
2137 TRACE("Received state \"%s\"", lxc_state2str(ret
));
2144 WRAP_API_1(bool, lxcapi_shutdown
, int)
2146 static bool lxcapi_createl(struct lxc_container
*c
, const char *t
,
2147 const char *bdevtype
, struct bdev_specs
*specs
, int flags
, ...)
2156 current_config
= c
->lxc_conf
;
2159 * since we're going to wait for create to finish, I don't think we
2160 * need to get a copy of the arguments.
2162 va_start(ap
, flags
);
2163 args
= lxc_va_arg_list_to_argv(ap
, 0, 0);
2166 ERROR("Failed to allocate memory");
2170 bret
= do_lxcapi_create(c
, t
, bdevtype
, specs
, flags
, args
);
2174 current_config
= NULL
;
2178 static void do_clear_unexp_config_line(struct lxc_conf
*conf
, const char *key
)
2180 if (!strcmp(key
, "lxc.cgroup"))
2181 return clear_unexp_config_line(conf
, key
, true);
2183 if (!strcmp(key
, "lxc.network"))
2184 return clear_unexp_config_line(conf
, key
, true);
2186 if (!strcmp(key
, "lxc.net"))
2187 return clear_unexp_config_line(conf
, key
, true);
2189 /* Clear a network with a specific index. */
2190 if (!strncmp(key
, "lxc.net.", 8)) {
2195 ret
= lxc_safe_uint(idx
, &(unsigned int){0});
2197 return clear_unexp_config_line(conf
, key
, true);
2200 if (!strcmp(key
, "lxc.hook"))
2201 return clear_unexp_config_line(conf
, key
, true);
2203 return clear_unexp_config_line(conf
, key
, false);
2206 static bool do_lxcapi_clear_config_item(struct lxc_container
*c
,
2210 struct lxc_config_t
*config
;
2212 if (!c
|| !c
->lxc_conf
)
2215 if (container_mem_lock(c
))
2218 config
= lxc_get_config(key
);
2219 /* Verify that the config key exists and that it has a callback
2222 if (config
&& config
->clr
)
2223 ret
= config
->clr(key
, c
->lxc_conf
, NULL
);
2226 do_clear_unexp_config_line(c
->lxc_conf
, key
);
2228 container_mem_unlock(c
);
2232 WRAP_API_1(bool, lxcapi_clear_config_item
, const char *)
2234 static inline bool enter_net_ns(struct lxc_container
*c
)
2236 pid_t pid
= do_lxcapi_init_pid(c
);
2241 if ((geteuid() != 0 || (c
->lxc_conf
&& !lxc_list_empty(&c
->lxc_conf
->id_map
))) &&
2242 (access("/proc/self/ns/user", F_OK
) == 0))
2243 if (!switch_to_ns(pid
, "user"))
2246 return switch_to_ns(pid
, "net");
2249 /* Used by qsort and bsearch functions for comparing names. */
2250 static inline int string_cmp(char **first
, char **second
)
2252 return strcmp(*first
, *second
);
2255 /* Used by qsort and bsearch functions for comparing container names. */
2256 static inline int container_cmp(struct lxc_container
**first
,
2257 struct lxc_container
**second
)
2259 return strcmp((*first
)->name
, (*second
)->name
);
2262 static bool add_to_array(char ***names
, char *cname
, int pos
)
2264 char **newnames
= realloc(*names
, (pos
+1) * sizeof(char *));
2266 ERROR("Out of memory");
2271 newnames
[pos
] = strdup(cname
);
2275 /* Sort the array as we will use binary search on it. */
2276 qsort(newnames
, pos
+ 1, sizeof(char *),
2277 (int (*)(const void *, const void *))string_cmp
);
2282 static bool add_to_clist(struct lxc_container
***list
, struct lxc_container
*c
,
2285 struct lxc_container
**newlist
= realloc(*list
, (pos
+ 1) * sizeof(struct lxc_container
*));
2287 ERROR("Out of memory");
2294 /* Sort the array as we will use binary search on it. */
2296 qsort(newlist
, pos
+ 1, sizeof(struct lxc_container
*),
2297 (int (*)(const void *, const void *))container_cmp
);
2302 static char** get_from_array(char ***names
, char *cname
, int size
)
2304 return (char **)bsearch(&cname
, *names
, size
, sizeof(char *), (int (*)(const void *, const void *))string_cmp
);
2307 static bool array_contains(char ***names
, char *cname
, int size
)
2309 if(get_from_array(names
, cname
, size
) != NULL
)
2315 static bool remove_from_array(char ***names
, char *cname
, int size
)
2317 char **result
= get_from_array(names
, cname
, size
);
2318 if (result
!= NULL
) {
2326 static char **do_lxcapi_get_interfaces(struct lxc_container
*c
)
2329 int i
, count
= 0, pipefd
[2];
2330 char **interfaces
= NULL
;
2331 char interface
[IFNAMSIZ
];
2333 if (pipe2(pipefd
, O_CLOEXEC
) < 0)
2338 SYSERROR("Failed to fork task to get interfaces information");
2344 if (pid
== 0) { /* child */
2345 int ret
= 1, nbytes
;
2346 struct netns_ifaddrs
*interfaceArray
= NULL
, *tempIfAddr
= NULL
;
2348 /* close the read-end of the pipe */
2351 if (!enter_net_ns(c
)) {
2352 SYSERROR("Failed to enter network namespace");
2356 /* Grab the list of interfaces */
2357 if (netns_getifaddrs(&interfaceArray
, -1, &(bool){false})) {
2358 SYSERROR("Failed to get interfaces list");
2362 /* Iterate through the interfaces */
2363 for (tempIfAddr
= interfaceArray
; tempIfAddr
!= NULL
;
2364 tempIfAddr
= tempIfAddr
->ifa_next
) {
2365 nbytes
= lxc_write_nointr(pipefd
[1], tempIfAddr
->ifa_name
, IFNAMSIZ
);
2376 netns_freeifaddrs(interfaceArray
);
2378 /* close the write-end of the pipe, thus sending EOF to the reader */
2383 /* close the write-end of the pipe */
2386 while (lxc_read_nointr(pipefd
[0], &interface
, IFNAMSIZ
) == IFNAMSIZ
) {
2387 interface
[IFNAMSIZ
- 1] = '\0';
2389 if (array_contains(&interfaces
, interface
, count
))
2392 if (!add_to_array(&interfaces
, interface
, count
))
2393 ERROR("Failed to add \"%s\" to array", interface
);
2398 if (wait_for_pid(pid
) != 0) {
2399 for (i
= 0; i
< count
; i
++)
2400 free(interfaces
[i
]);
2406 /* close the read-end of the pipe */
2409 /* Append NULL to the array */
2411 interfaces
= (char **)lxc_append_null_to_array((void **)interfaces
, count
);
2416 WRAP_API(char **, lxcapi_get_interfaces
)
2418 static char **do_lxcapi_get_ips(struct lxc_container
*c
, const char *interface
,
2419 const char *family
, int scope
)
2424 char address
[INET6_ADDRSTRLEN
];
2426 char **addresses
= NULL
;
2428 ret
= pipe2(pipefd
, O_CLOEXEC
);
2430 SYSERROR("Failed to create pipe");
2436 SYSERROR("Failed to create new process");
2444 char addressOutputBuffer
[INET6_ADDRSTRLEN
];
2445 char *address_ptr
= NULL
;
2446 void *tempAddrPtr
= NULL
;
2447 struct netns_ifaddrs
*interfaceArray
= NULL
, *tempIfAddr
= NULL
;
2449 /* close the read-end of the pipe */
2452 if (!enter_net_ns(c
)) {
2453 SYSERROR("Failed to attach to network namespace");
2457 /* Grab the list of interfaces */
2458 if (netns_getifaddrs(&interfaceArray
, -1, &(bool){false})) {
2459 SYSERROR("Failed to get interfaces list");
2463 /* Iterate through the interfaces */
2464 for (tempIfAddr
= interfaceArray
; tempIfAddr
;
2465 tempIfAddr
= tempIfAddr
->ifa_next
) {
2466 if (tempIfAddr
->ifa_addr
== NULL
)
2469 #pragma GCC diagnostic push
2470 #pragma GCC diagnostic ignored "-Wcast-align"
2472 if (tempIfAddr
->ifa_addr
->sa_family
== AF_INET
) {
2473 if (family
&& strcmp(family
, "inet"))
2476 tempAddrPtr
= &((struct sockaddr_in
*)tempIfAddr
->ifa_addr
)->sin_addr
;
2478 if (family
&& strcmp(family
, "inet6"))
2481 if (((struct sockaddr_in6
*)tempIfAddr
->ifa_addr
)->sin6_scope_id
!= scope
)
2484 tempAddrPtr
= &((struct sockaddr_in6
*)tempIfAddr
->ifa_addr
)->sin6_addr
;
2487 #pragma GCC diagnostic pop
2489 if (interface
&& strcmp(interface
, tempIfAddr
->ifa_name
))
2491 else if (!interface
&& strcmp("lo", tempIfAddr
->ifa_name
) == 0)
2494 address_ptr
= (char *)inet_ntop(tempIfAddr
->ifa_addr
->sa_family
,
2495 tempAddrPtr
, addressOutputBuffer
,
2496 sizeof(addressOutputBuffer
));
2500 nbytes
= lxc_write_nointr(pipefd
[1], address_ptr
, INET6_ADDRSTRLEN
);
2501 if (nbytes
!= INET6_ADDRSTRLEN
) {
2502 SYSERROR("Failed to send ipv6 address \"%s\"",
2514 netns_freeifaddrs(interfaceArray
);
2516 /* close the write-end of the pipe, thus sending EOF to the reader */
2521 /* close the write-end of the pipe */
2524 while (lxc_read_nointr(pipefd
[0], &address
, INET6_ADDRSTRLEN
) == INET6_ADDRSTRLEN
) {
2525 address
[INET6_ADDRSTRLEN
- 1] = '\0';
2527 if (!add_to_array(&addresses
, address
, count
))
2528 ERROR("PARENT: add_to_array failed");
2533 if (wait_for_pid(pid
) != 0) {
2534 for (i
= 0; i
< count
; i
++)
2541 /* close the read-end of the pipe */
2544 /* Append NULL to the array */
2546 addresses
= (char **)lxc_append_null_to_array((void **)addresses
, count
);
2551 WRAP_API_3(char **, lxcapi_get_ips
, const char *, const char *, int)
2553 static int do_lxcapi_get_config_item(struct lxc_container
*c
, const char *key
, char *retv
, int inlen
)
2556 struct lxc_config_t
*config
;
2558 if (!c
|| !c
->lxc_conf
)
2561 if (container_mem_lock(c
))
2564 config
= lxc_get_config(key
);
2565 /* Verify that the config key exists and that it has a callback
2568 if (config
&& config
->get
)
2569 ret
= config
->get(key
, retv
, inlen
, c
->lxc_conf
, NULL
);
2571 container_mem_unlock(c
);
2575 WRAP_API_3(int, lxcapi_get_config_item
, const char *, char *, int)
2577 static char* do_lxcapi_get_running_config_item(struct lxc_container
*c
, const char *key
)
2581 if (!c
|| !c
->lxc_conf
)
2584 if (container_mem_lock(c
))
2587 ret
= lxc_cmd_get_config_item(c
->name
, key
, do_lxcapi_get_config_path(c
));
2588 container_mem_unlock(c
);
2592 WRAP_API_1(char *, lxcapi_get_running_config_item
, const char *)
2594 static int do_lxcapi_get_keys(struct lxc_container
*c
, const char *key
, char *retv
, int inlen
)
2598 /* List all config items. */
2600 return lxc_list_config_items(retv
, inlen
);
2602 if (!c
|| !c
->lxc_conf
)
2605 if (container_mem_lock(c
))
2608 /* Support 'lxc.net.<idx>', i.e. 'lxc.net.0'
2609 * This is an intelligent result to show which keys are valid given the
2610 * type of nic it is.
2612 if (strncmp(key
, "lxc.net.", 8) == 0)
2613 ret
= lxc_list_net(c
->lxc_conf
, key
, retv
, inlen
);
2615 ret
= lxc_list_subkeys(c
->lxc_conf
, key
, retv
, inlen
);
2617 container_mem_unlock(c
);
2621 WRAP_API_3(int, lxcapi_get_keys
, const char *, char *, int)
2623 static bool do_lxcapi_save_config(struct lxc_container
*c
, const char *alt_file
)
2626 bool ret
= false, need_disklock
= false;
2629 alt_file
= c
->configfile
;
2634 /* If we haven't yet loaded a config, load the stock config. */
2636 if (!do_lxcapi_load_config(c
, lxc_global_config_value("lxc.default_config"))) {
2637 ERROR("Error loading default configuration file %s "
2639 lxc_global_config_value("lxc.default_config"),
2645 if (!create_container_dir(c
))
2648 /* If we're writing to the container's config file, take the disk lock.
2649 * Otherwise just take the memlock to protect the struct lxc_container
2650 * while we're traversing it.
2652 if (strcmp(c
->configfile
, alt_file
) == 0)
2653 need_disklock
= true;
2656 lret
= container_disk_lock(c
);
2658 lret
= container_mem_lock(c
);
2662 fd
= open(alt_file
, O_WRONLY
| O_CREAT
| O_TRUNC
| O_CLOEXEC
,
2663 S_IRUSR
| S_IWUSR
| S_IRGRP
| S_IWGRP
);
2667 lret
= write_config(fd
, c
->lxc_conf
);
2676 container_disk_unlock(c
);
2678 container_mem_unlock(c
);
2683 WRAP_API_1(bool, lxcapi_save_config
, const char *)
2686 static bool mod_rdep(struct lxc_container
*c0
, struct lxc_container
*c
, bool inc
)
2692 char path
[PATH_MAX
];
2693 char newpath
[PATH_MAX
];
2694 int fd
, ret
, n
= 0, v
= 0;
2696 size_t len
= 0, bytes
= 0;
2698 if (container_disk_lock(c0
))
2701 ret
= snprintf(path
, PATH_MAX
, "%s/%s/lxc_snapshots", c0
->config_path
, c0
->name
);
2702 if (ret
< 0 || ret
> PATH_MAX
)
2705 ret
= snprintf(newpath
, PATH_MAX
, "%s\n%s\n", c
->config_path
, c
->name
);
2706 if (ret
< 0 || ret
> PATH_MAX
)
2709 /* If we find an lxc-snapshot file using the old format only listing the
2710 * number of snapshots we will keep using it. */
2711 f1
= fopen(path
, "re");
2713 n
= fscanf(f1
, "%d", &v
);
2715 if (n
== 1 && v
== 0) {
2718 SYSERROR("Failed to remove \"%s\"", path
);
2726 f1
= fopen(path
, "we");
2730 if (fprintf(f1
, "%d\n", v
) < 0) {
2731 ERROR("Error writing new snapshots value");
2738 SYSERROR("Error writing to or closing snapshots file");
2742 /* Here we know that we have or can use an lxc-snapshot file
2743 * using the new format. */
2745 f1
= fopen(path
, "ae");
2749 if (fprintf(f1
, "%s", newpath
) < 0) {
2750 ERROR("Error writing new snapshots entry");
2753 SYSERROR("Error writing to or closing snapshots file");
2759 SYSERROR("Error writing to or closing snapshots file");
2763 if ((fd
= open(path
, O_RDWR
| O_CLOEXEC
)) < 0)
2766 if (fstat(fd
, &fbuf
) < 0) {
2771 if (fbuf
.st_size
!= 0) {
2772 buf
= lxc_strmmap(NULL
, fbuf
.st_size
, PROT_READ
| PROT_WRITE
, MAP_SHARED
, fd
, 0);
2773 if (buf
== MAP_FAILED
) {
2774 SYSERROR("Failed to create mapping %s", path
);
2779 len
= strlen(newpath
);
2780 while ((del
= strstr((char *)buf
, newpath
))) {
2781 memmove(del
, del
+ len
, strlen(del
) - len
+ 1);
2785 lxc_strmunmap(buf
, fbuf
.st_size
);
2786 if (ftruncate(fd
, fbuf
.st_size
- bytes
) < 0) {
2787 SYSERROR("Failed to truncate file %s", path
);
2796 /* If the lxc-snapshot file is empty, remove it. */
2797 if (stat(path
, &fbuf
) < 0)
2800 if (!fbuf
.st_size
) {
2803 SYSERROR("Failed to remove \"%s\"", path
);
2810 container_disk_unlock(c0
);
2814 void mod_all_rdeps(struct lxc_container
*c
, bool inc
)
2816 __do_free
char *lxcpath
= NULL
, *lxcname
= NULL
;
2817 __do_fclose
FILE *f
= NULL
;
2818 size_t pathlen
= 0, namelen
= 0;
2819 struct lxc_container
*p
;
2820 char path
[PATH_MAX
];
2823 ret
= snprintf(path
, PATH_MAX
, "%s/%s/lxc_rdepends",
2824 c
->config_path
, c
->name
);
2825 if (ret
< 0 || ret
>= PATH_MAX
) {
2826 ERROR("Path name too long");
2830 f
= fopen(path
, "re");
2834 while (getline(&lxcpath
, &pathlen
, f
) != -1) {
2835 if (getline(&lxcname
, &namelen
, f
) == -1) {
2836 ERROR("badly formatted file %s", path
);
2840 remove_trailing_newlines(lxcpath
);
2841 remove_trailing_newlines(lxcname
);
2843 if ((p
= lxc_container_new(lxcname
, lxcpath
)) == NULL
) {
2844 ERROR("Unable to find dependent container %s:%s",
2849 if (!mod_rdep(p
, c
, inc
))
2850 ERROR("Failed to update snapshots file for %s:%s",
2853 lxc_container_put(p
);
2857 static bool has_fs_snapshots(struct lxc_container
*c
)
2859 __do_fclose
FILE *f
= NULL
;
2860 char path
[PATH_MAX
];
2864 ret
= snprintf(path
, PATH_MAX
, "%s/%s/lxc_snapshots", c
->config_path
,
2866 if (ret
< 0 || ret
> PATH_MAX
)
2869 /* If the file doesn't exist there are no snapshots. */
2870 if (stat(path
, &fbuf
) < 0)
2875 f
= fopen(path
, "re");
2879 ret
= fscanf(f
, "%d", &v
);
2881 INFO("Container uses new lxc-snapshots format %s", path
);
2887 static bool has_snapshots(struct lxc_container
*c
)
2889 __do_closedir
DIR *dir
= NULL
;
2890 char path
[PATH_MAX
];
2891 struct dirent
*direntp
;
2894 if (!get_snappath_dir(c
, path
))
2897 dir
= opendir(path
);
2901 while ((direntp
= readdir(dir
))) {
2902 if (!strcmp(direntp
->d_name
, "."))
2905 if (!strcmp(direntp
->d_name
, ".."))
2914 static bool do_destroy_container(struct lxc_conf
*conf
) {
2917 if (am_guest_unpriv()) {
2918 ret
= userns_exec_full(conf
, storage_destroy_wrapper
, conf
,
2919 "storage_destroy_wrapper");
2926 return storage_destroy(conf
);
2929 static int lxc_rmdir_onedev_wrapper(void *data
)
2931 char *arg
= (char *) data
;
2932 return lxc_rmdir_onedev(arg
, "snaps");
2935 static int lxc_unlink_exec_wrapper(void *data
)
2941 static bool container_destroy(struct lxc_container
*c
,
2942 struct lxc_storage
*storage
)
2946 struct lxc_conf
*conf
;
2951 if (!c
|| !do_lxcapi_is_defined(c
))
2955 if (container_disk_lock(c
))
2958 if (!is_stopped(c
)) {
2959 /* We should queue some sort of error - in c->error_string? */
2960 ERROR("container %s is not stopped", c
->name
);
2964 if (conf
&& !lxc_list_empty(&conf
->hooks
[LXCHOOK_DESTROY
])) {
2965 /* Start of environment variable setup for hooks */
2966 if (setenv("LXC_NAME", c
->name
, 1))
2967 SYSERROR("Failed to set environment variable for container name");
2969 if (conf
->rcfile
&& setenv("LXC_CONFIG_FILE", conf
->rcfile
, 1))
2970 SYSERROR("Failed to set environment variable for config path");
2972 if (conf
->rootfs
.mount
&& setenv("LXC_ROOTFS_MOUNT", conf
->rootfs
.mount
, 1))
2973 SYSERROR("Failed to set environment variable for rootfs mount");
2975 if (conf
->rootfs
.path
&& setenv("LXC_ROOTFS_PATH", conf
->rootfs
.path
, 1))
2976 SYSERROR("Failed to set environment variable for rootfs mount");
2978 if (conf
->console
.path
&& setenv("LXC_CONSOLE", conf
->console
.path
, 1))
2979 SYSERROR("Failed to set environment variable for console path");
2981 if (conf
->console
.log_path
&& setenv("LXC_CONSOLE_LOGPATH", conf
->console
.log_path
, 1))
2982 SYSERROR("Failed to set environment variable for console log");
2983 /* End of environment variable setup for hooks */
2985 if (run_lxc_hooks(c
->name
, "destroy", conf
, NULL
)) {
2986 ERROR("Failed to execute clone hook for \"%s\"", c
->name
);
2991 if (current_config
&& conf
== current_config
) {
2992 current_config
= NULL
;
2994 if (conf
->logfd
!= -1) {
3000 /* LXC is not managing the storage of the container. */
3001 if (conf
&& !conf
->rootfs
.managed
)
3004 if (conf
&& conf
->rootfs
.path
&& conf
->rootfs
.mount
) {
3005 if (!do_destroy_container(conf
)) {
3006 ERROR("Error destroying rootfs for %s", c
->name
);
3009 INFO("Destroyed rootfs for %s", c
->name
);
3012 mod_all_rdeps(c
, false);
3014 p1
= do_lxcapi_get_config_path(c
);
3023 * strlen("config") = 6
3027 len
= strlen(p1
) + 1 + strlen(c
->name
) + 1 + strlen(LXC_CONFIG_FNAME
) + 1;
3030 ERROR("Failed to allocate memory");
3034 /* For an overlay container the rootfs is considered immutable and
3035 * cannot be removed when restoring from a snapshot.
3037 if (storage
&& (!strcmp(storage
->type
, "overlay") ||
3038 !strcmp(storage
->type
, "overlayfs")) &&
3039 (storage
->flags
& LXC_STORAGE_INTERNAL_OVERLAY_RESTORE
)) {
3040 ret
= snprintf(path
, len
, "%s/%s/%s", p1
, c
->name
, LXC_CONFIG_FNAME
);
3041 if (ret
< 0 || (size_t)ret
>= len
)
3044 if (am_guest_unpriv())
3045 ret
= userns_exec_1(conf
, lxc_unlink_exec_wrapper
, path
,
3046 "lxc_unlink_exec_wrapper");
3050 SYSERROR("Failed to destroy config file \"%s\" for \"%s\"",
3054 INFO("Destroyed config file \"%s\" for \"%s\"", path
, c
->name
);
3060 ret
= snprintf(path
, len
, "%s/%s", p1
, c
->name
);
3061 if (ret
< 0 || (size_t)ret
>= len
)
3064 if (am_guest_unpriv())
3065 ret
= userns_exec_full(conf
, lxc_rmdir_onedev_wrapper
, path
,
3066 "lxc_rmdir_onedev_wrapper");
3068 ret
= lxc_rmdir_onedev(path
, "snaps");
3070 ERROR("Failed to destroy directory \"%s\" for \"%s\"", path
,
3074 INFO("Destroyed directory \"%s\" for \"%s\"", path
, c
->name
);
3083 container_disk_unlock(c
);
3087 static bool do_lxcapi_destroy(struct lxc_container
*c
)
3089 if (!c
|| !lxcapi_is_defined(c
))
3092 if (c
->lxc_conf
&& c
->lxc_conf
->rootfs
.managed
) {
3093 if (has_snapshots(c
)) {
3094 ERROR("Container %s has snapshots; not removing", c
->name
);
3098 if (has_fs_snapshots(c
)) {
3099 ERROR("container %s has snapshots on its rootfs", c
->name
);
3104 return container_destroy(c
, NULL
);
3107 WRAP_API(bool, lxcapi_destroy
)
3109 static bool do_lxcapi_destroy_with_snapshots(struct lxc_container
*c
)
3111 if (!c
|| !lxcapi_is_defined(c
))
3114 if (!lxcapi_snapshot_destroy_all(c
)) {
3115 ERROR("Error deleting all snapshots");
3119 return lxcapi_destroy(c
);
3122 WRAP_API(bool, lxcapi_destroy_with_snapshots
)
3124 int lxc_set_config_item_locked(struct lxc_conf
*conf
, const char *key
,
3128 struct lxc_config_t
*config
;
3131 config
= lxc_get_config(key
);
3135 ret
= config
->set(key
, v
, conf
, NULL
);
3139 if (lxc_config_value_empty(v
))
3140 do_clear_unexp_config_line(conf
, key
);
3142 bret
= do_append_unexp_config_line(conf
, key
, v
);
3149 static bool do_set_config_item_locked(struct lxc_container
*c
, const char *key
,
3155 c
->lxc_conf
= lxc_conf_init();
3160 ret
= lxc_set_config_item_locked(c
->lxc_conf
, key
, v
);
3167 static bool do_lxcapi_set_config_item(struct lxc_container
*c
, const char *key
, const char *v
)
3174 if (container_mem_lock(c
))
3177 b
= do_set_config_item_locked(c
, key
, v
);
3179 container_mem_unlock(c
);
3183 WRAP_API_2(bool, lxcapi_set_config_item
, const char *, const char *)
3185 static char *lxcapi_config_file_name(struct lxc_container
*c
)
3187 if (!c
|| !c
->configfile
)
3190 return strdup(c
->configfile
);
3193 static const char *lxcapi_get_config_path(struct lxc_container
*c
)
3195 if (!c
|| !c
->config_path
)
3198 return (const char *)(c
->config_path
);
3203 * Just recalculate the c->configfile based on the
3204 * c->config_path, which must be set.
3205 * The lxc_container must be locked or not yet public.
3207 static bool set_config_filename(struct lxc_container
*c
)
3212 if (!c
->config_path
)
3215 /* $lxc_path + "/" + c->name + "/" + "config" + '\0' */
3216 len
= strlen(c
->config_path
) + 1 + strlen(c
->name
) + 1 + strlen(LXC_CONFIG_FNAME
) + 1;
3217 newpath
= malloc(len
);
3221 ret
= snprintf(newpath
, len
, "%s/%s/%s", c
->config_path
, c
->name
, LXC_CONFIG_FNAME
);
3222 if (ret
< 0 || ret
>= len
) {
3223 fprintf(stderr
, "Error printing out config file name\n");
3228 free(c
->configfile
);
3229 c
->configfile
= newpath
;
3234 static bool do_lxcapi_set_config_path(struct lxc_container
*c
, const char *path
)
3238 char *oldpath
= NULL
;
3243 if (container_mem_lock(c
))
3248 ERROR("Out of memory setting new lxc path");
3254 oldpath
= c
->config_path
;
3257 /* Since we've changed the config path, we have to change the
3258 * config file name too */
3259 if (!set_config_filename(c
)) {
3260 ERROR("Out of memory setting new config filename");
3262 free(c
->config_path
);
3263 c
->config_path
= oldpath
;
3269 container_mem_unlock(c
);
3273 WRAP_API_1(bool, lxcapi_set_config_path
, const char *)
3275 static bool do_lxcapi_set_cgroup_item(struct lxc_container
*c
, const char *subsys
, const char *value
)
3277 call_cleaner(cgroup_exit
) struct cgroup_ops
*cgroup_ops
= NULL
;
3285 cgroup_ops
= cgroup_init(c
->lxc_conf
);
3289 return cgroup_ops
->set(cgroup_ops
, subsys
, value
, c
->name
,
3290 c
->config_path
) == 0;
3293 WRAP_API_2(bool, lxcapi_set_cgroup_item
, const char *, const char *)
3295 static int do_lxcapi_get_cgroup_item(struct lxc_container
*c
, const char *subsys
, char *retv
, int inlen
)
3297 call_cleaner(cgroup_exit
) struct cgroup_ops
*cgroup_ops
= NULL
;
3305 cgroup_ops
= cgroup_init(c
->lxc_conf
);
3309 return cgroup_ops
->get(cgroup_ops
, subsys
, retv
, inlen
, c
->name
,
3313 WRAP_API_3(int, lxcapi_get_cgroup_item
, const char *, char *, int)
3315 const char *lxc_get_global_config_item(const char *key
)
3317 return lxc_global_config_value(key
);
3320 const char *lxc_get_version(void)
3325 static int copy_file(const char *old
, const char *new)
3332 if (file_exists(new)) {
3333 ERROR("copy destination %s exists", new);
3337 ret
= stat(old
, &sbuf
);
3339 INFO("Error stat'ing %s", old
);
3343 in
= open(old
, O_RDONLY
);
3345 SYSERROR("Error opening original file %s", old
);
3349 out
= open(new, O_CREAT
| O_EXCL
| O_WRONLY
, 0644);
3351 SYSERROR("Error opening new file %s", new);
3357 len
= lxc_read_nointr(in
, buf
, 8096);
3359 SYSERROR("Error reading old file %s", old
);
3366 ret
= lxc_write_nointr(out
, buf
, len
);
3367 if (ret
< len
) { /* should we retry? */
3368 SYSERROR("Error: write to new file %s was interrupted", new);
3376 /* We set mode, but not owner/group. */
3377 ret
= chmod(new, sbuf
.st_mode
);
3379 SYSERROR("Error setting mode on %s", new);
3391 static int copyhooks(struct lxc_container
*oldc
, struct lxc_container
*c
)
3393 __do_free
char *cpath
= NULL
;
3395 struct lxc_list
*it
;
3397 len
= strlen(oldc
->config_path
) + strlen(oldc
->name
) + 3;
3398 cpath
= must_realloc(NULL
, len
);
3399 ret
= snprintf(cpath
, len
, "%s/%s/", oldc
->config_path
, oldc
->name
);
3400 if (ret
< 0 || ret
>= len
)
3403 for (i
=0; i
<NUM_LXC_HOOKS
; i
++) {
3404 lxc_list_for_each(it
, &c
->lxc_conf
->hooks
[i
]) {
3405 char *hookname
= it
->elem
;
3406 char *fname
= strrchr(hookname
, '/');
3407 char tmppath
[PATH_MAX
];
3408 if (!fname
) /* relative path - we don't support, but maybe we should */
3411 if (strncmp(hookname
, cpath
, len
- 1) != 0) {
3412 /* this hook is public - ignore */
3416 /* copy the script, and change the entry in confile */
3417 ret
= snprintf(tmppath
, PATH_MAX
, "%s/%s/%s",
3418 c
->config_path
, c
->name
, fname
+1);
3419 if (ret
< 0 || ret
>= PATH_MAX
)
3422 ret
= copy_file(it
->elem
, tmppath
);
3428 it
->elem
= strdup(tmppath
);
3430 ERROR("out of memory copying hook path");
3436 if (!clone_update_unexp_hooks(c
->lxc_conf
, oldc
->config_path
,
3437 c
->config_path
, oldc
->name
, c
->name
)) {
3438 ERROR("Error saving new hooks in clone");
3442 do_lxcapi_save_config(c
, NULL
);
3447 static int copy_fstab(struct lxc_container
*oldc
, struct lxc_container
*c
)
3449 char newpath
[PATH_MAX
];
3450 char *oldpath
= oldc
->lxc_conf
->fstab
;
3456 clear_unexp_config_line(c
->lxc_conf
, "lxc.mount.fstab", false);
3458 char *p
= strrchr(oldpath
, '/');
3462 ret
= snprintf(newpath
, PATH_MAX
, "%s/%s%s",
3463 c
->config_path
, c
->name
, p
);
3464 if (ret
< 0 || ret
>= PATH_MAX
) {
3465 ERROR("error printing new path for %s", oldpath
);
3469 if (file_exists(newpath
)) {
3470 ERROR("error: fstab file %s exists", newpath
);
3474 if (copy_file(oldpath
, newpath
) < 0) {
3475 ERROR("error: copying %s to %s", oldpath
, newpath
);
3479 free(c
->lxc_conf
->fstab
);
3481 c
->lxc_conf
->fstab
= strdup(newpath
);
3482 if (!c
->lxc_conf
->fstab
) {
3483 ERROR("error: allocating pathname");
3487 if (!do_append_unexp_config_line(c
->lxc_conf
, "lxc.mount.fstab", newpath
)) {
3488 ERROR("error saving new lxctab");
3495 static void copy_rdepends(struct lxc_container
*c
, struct lxc_container
*c0
)
3497 char path0
[PATH_MAX
], path1
[PATH_MAX
];
3500 ret
= snprintf(path0
, PATH_MAX
, "%s/%s/lxc_rdepends", c0
->config_path
,
3502 if (ret
< 0 || ret
>= PATH_MAX
) {
3503 WARN("Error copying reverse dependencies");
3507 ret
= snprintf(path1
, PATH_MAX
, "%s/%s/lxc_rdepends", c
->config_path
,
3509 if (ret
< 0 || ret
>= PATH_MAX
) {
3510 WARN("Error copying reverse dependencies");
3514 if (copy_file(path0
, path1
) < 0) {
3515 INFO("Error copying reverse dependencies");
3520 static bool add_rdepends(struct lxc_container
*c
, struct lxc_container
*c0
)
3522 __do_fclose
FILE *f
= NULL
;
3524 char path
[PATH_MAX
];
3526 ret
= snprintf(path
, sizeof(path
), "%s/%s/lxc_rdepends", c
->config_path
, c
->name
);
3527 if (ret
< 0 || ret
>= sizeof(path
))
3530 f
= fopen(path
, "ae");
3534 /* If anything goes wrong, just return an error. */
3535 return fprintf(f
, "%s\n%s\n", c0
->config_path
, c0
->name
) > 0;
3539 * If the fs natively supports snapshot clones with no penalty,
3540 * then default to those even if not requested.
3541 * Currently we only do this for btrfs.
3543 static bool should_default_to_snapshot(struct lxc_container
*c0
,
3544 struct lxc_container
*c1
)
3546 __do_free
char *p0
= NULL
, *p1
= NULL
;
3548 size_t l0
= strlen(c0
->config_path
) + strlen(c0
->name
) + 2;
3549 size_t l1
= strlen(c1
->config_path
) + strlen(c1
->name
) + 2;
3550 char *rootfs
= c0
->lxc_conf
->rootfs
.path
;
3552 p0
= must_realloc(NULL
, l0
+ 1);
3553 p1
= must_realloc(NULL
, l1
+ 1);
3554 ret
= snprintf(p0
, l0
, "%s/%s", c0
->config_path
, c0
->name
);
3555 if (ret
< 0 || ret
>= l0
)
3558 ret
= snprintf(p1
, l1
, "%s/%s", c1
->config_path
, c1
->name
);
3559 if (ret
< 0 || ret
>= l1
)
3562 if (!is_btrfs_fs(p0
) || !is_btrfs_fs(p1
))
3565 if (is_btrfs_subvol(rootfs
) <= 0)
3568 return btrfs_same_fs(p0
, p1
) == 0;
3571 static int copy_storage(struct lxc_container
*c0
, struct lxc_container
*c
,
3572 const char *newtype
, int flags
, const char *bdevdata
,
3575 struct lxc_storage
*bdev
;
3578 if (should_default_to_snapshot(c0
, c
))
3579 flags
|= LXC_CLONE_SNAPSHOT
;
3581 bdev
= storage_copy(c0
, c
->name
, c
->config_path
, newtype
, flags
,
3582 bdevdata
, newsize
, &need_rdep
);
3584 ERROR("Error copying storage.");
3588 /* Set new rootfs. */
3589 free(c
->lxc_conf
->rootfs
.path
);
3590 c
->lxc_conf
->rootfs
.path
= strdup(bdev
->src
);
3593 if (!c
->lxc_conf
->rootfs
.path
) {
3594 ERROR("Out of memory while setting storage path.");
3598 /* Append a new lxc.rootfs.path entry to the unexpanded config. */
3599 clear_unexp_config_line(c
->lxc_conf
, "lxc.rootfs.path", false);
3600 if (!do_append_unexp_config_line(c
->lxc_conf
, "lxc.rootfs.path",
3601 c
->lxc_conf
->rootfs
.path
)) {
3602 ERROR("Error saving new rootfs to cloned config.");
3606 if (flags
& LXC_CLONE_SNAPSHOT
)
3607 copy_rdepends(c
, c0
);
3610 if (!add_rdepends(c
, c0
))
3611 WARN("Error adding reverse dependency from %s to %s",
3615 mod_all_rdeps(c
, true);
3620 struct clone_update_data
{
3621 struct lxc_container
*c0
;
3622 struct lxc_container
*c1
;
3627 static int clone_update_rootfs(struct clone_update_data
*data
)
3629 struct lxc_container
*c0
= data
->c0
;
3630 struct lxc_container
*c
= data
->c1
;
3631 int flags
= data
->flags
;
3632 char **hookargs
= data
->hookargs
;
3634 char path
[PATH_MAX
];
3635 struct lxc_storage
*bdev
;
3637 struct lxc_conf
*conf
= c
->lxc_conf
;
3639 /* update hostname in rootfs */
3640 /* we're going to mount, so run in a clean namespace to simplify cleanup */
3642 (void)lxc_setgroups(0, NULL
);
3644 if (setgid(0) < 0) {
3645 ERROR("Failed to setgid to 0");
3649 if (setuid(0) < 0) {
3650 ERROR("Failed to setuid to 0");
3654 if (unshare(CLONE_NEWNS
) < 0)
3657 bdev
= storage_init(c
->lxc_conf
);
3661 if (strcmp(bdev
->type
, "dir") != 0) {
3662 if (unshare(CLONE_NEWNS
) < 0) {
3663 ERROR("error unsharing mounts");
3668 if (detect_shared_rootfs() && mount(NULL
, "/", NULL
, MS_SLAVE
| MS_REC
, NULL
))
3669 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
3671 if (bdev
->ops
->mount(bdev
) < 0) {
3675 } else { /* TODO come up with a better way */
3677 bdev
->dest
= strdup(lxc_storage_get_path(bdev
->src
, bdev
->type
));
3680 if (!lxc_list_empty(&conf
->hooks
[LXCHOOK_CLONE
])) {
3681 /* Start of environment variable setup for hooks */
3682 if (c0
->name
&& setenv("LXC_SRC_NAME", c0
->name
, 1))
3683 SYSERROR("failed to set environment variable for source container name");
3685 if (setenv("LXC_NAME", c
->name
, 1))
3686 SYSERROR("failed to set environment variable for container name");
3688 if (conf
->rcfile
&& setenv("LXC_CONFIG_FILE", conf
->rcfile
, 1))
3689 SYSERROR("failed to set environment variable for config path");
3691 if (bdev
->dest
&& setenv("LXC_ROOTFS_MOUNT", bdev
->dest
, 1))
3692 SYSERROR("failed to set environment variable for rootfs mount");
3694 if (conf
->rootfs
.path
&& setenv("LXC_ROOTFS_PATH", conf
->rootfs
.path
, 1))
3695 SYSERROR("failed to set environment variable for rootfs mount");
3697 if (run_lxc_hooks(c
->name
, "clone", conf
, hookargs
)) {
3698 ERROR("Error executing clone hook for %s", c
->name
);
3704 if (!(flags
& LXC_CLONE_KEEPNAME
)) {
3705 ret
= snprintf(path
, PATH_MAX
, "%s/etc/hostname", bdev
->dest
);
3708 if (ret
< 0 || ret
>= PATH_MAX
)
3711 if (!file_exists(path
))
3714 if (!(fout
= fopen(path
, "we"))) {
3715 SYSERROR("unable to open %s: ignoring", path
);
3719 if (fprintf(fout
, "%s", c
->name
) < 0) {
3724 if (fclose(fout
) < 0)
3733 static int clone_update_rootfs_wrapper(void *data
)
3735 struct clone_update_data
*arg
= (struct clone_update_data
*) data
;
3736 return clone_update_rootfs(arg
);
3740 * We want to support:
3741 sudo lxc-clone -o o1 -n n1 -s -L|-fssize fssize -v|--vgname vgname \
3742 -p|--lvprefix lvprefix -t|--fstype fstype -B backingstore
3744 -s [ implies overlay]
3747 only rootfs gets converted (copied/snapshotted) on clone.
3750 static int create_file_dirname(char *path
, struct lxc_conf
*conf
)
3752 char *p
= strrchr(path
, '/');
3759 ret
= do_create_container_dir(path
, conf
);
3765 static struct lxc_container
*do_lxcapi_clone(struct lxc_container
*c
, const char *newname
,
3766 const char *lxcpath
, int flags
,
3767 const char *bdevtype
, const char *bdevdata
, uint64_t newsize
,
3770 char newpath
[PATH_MAX
];
3772 struct clone_update_data data
;
3773 size_t saved_unexp_len
;
3775 int storage_copied
= 0;
3776 char *origroot
= NULL
, *saved_unexp_conf
= NULL
;
3777 struct lxc_container
*c2
= NULL
;
3779 if (!c
|| !do_lxcapi_is_defined(c
))
3782 if (container_mem_lock(c
))
3784 if (!is_stopped(c
) && !(flags
& LXC_CLONE_ALLOW_RUNNING
)) {
3785 ERROR("error: Original container (%s) is running. Use --allowrunning if you want to force a snapshot of the running container.", c
->name
);
3789 /* Make sure the container doesn't yet exist. */
3794 lxcpath
= do_lxcapi_get_config_path(c
);
3796 ret
= snprintf(newpath
, PATH_MAX
, "%s/%s/%s", lxcpath
, newname
, LXC_CONFIG_FNAME
);
3797 if (ret
< 0 || ret
>= PATH_MAX
) {
3798 SYSERROR("clone: failed making config pathname");
3802 if (file_exists(newpath
)) {
3803 ERROR("error: clone: %s exists", newpath
);
3807 ret
= create_file_dirname(newpath
, c
->lxc_conf
);
3808 if (ret
< 0 && errno
!= EEXIST
) {
3809 ERROR("Error creating container dir for %s", newpath
);
3813 /* Copy the configuration. Tweak it as needed. */
3814 if (c
->lxc_conf
->rootfs
.path
) {
3815 origroot
= c
->lxc_conf
->rootfs
.path
;
3816 c
->lxc_conf
->rootfs
.path
= NULL
;
3819 fd
= open(newpath
, O_WRONLY
| O_CREAT
| O_CLOEXEC
,
3820 S_IRUSR
| S_IWUSR
| S_IRGRP
| S_IWGRP
);
3822 SYSERROR("Failed to open \"%s\"", newpath
);
3826 saved_unexp_conf
= c
->lxc_conf
->unexpanded_config
;
3827 saved_unexp_len
= c
->lxc_conf
->unexpanded_len
;
3828 c
->lxc_conf
->unexpanded_config
= strdup(saved_unexp_conf
);
3829 if (!c
->lxc_conf
->unexpanded_config
) {
3834 clear_unexp_config_line(c
->lxc_conf
, "lxc.rootfs.path", false);
3835 write_config(fd
, c
->lxc_conf
);
3838 c
->lxc_conf
->rootfs
.path
= origroot
;
3840 free(c
->lxc_conf
->unexpanded_config
);
3841 c
->lxc_conf
->unexpanded_config
= saved_unexp_conf
;
3842 saved_unexp_conf
= NULL
;
3843 c
->lxc_conf
->unexpanded_len
= saved_unexp_len
;
3845 ret
= snprintf(newpath
, PATH_MAX
, "%s/%s/%s", lxcpath
, newname
, LXC_ROOTFS_DNAME
);
3846 if (ret
< 0 || ret
>= PATH_MAX
) {
3847 SYSERROR("clone: failed making rootfs pathname");
3851 ret
= mkdir(newpath
, 0755);
3853 /* For an overlay container the rootfs is considered immutable
3854 * and will not have been removed when restoring from a
3857 if (errno
!= ENOENT
&&
3858 !(flags
& LXC_STORAGE_INTERNAL_OVERLAY_RESTORE
)) {
3859 SYSERROR("Failed to create directory \"%s\"", newpath
);
3864 if (am_guest_unpriv()) {
3865 if (chown_mapped_root(newpath
, c
->lxc_conf
) < 0) {
3866 ERROR("Error chowning %s to container root", newpath
);
3871 c2
= lxc_container_new(newname
, lxcpath
);
3873 ERROR("clone: failed to create new container (%s %s)", newname
,
3878 /* copy/snapshot rootfs's */
3879 ret
= copy_storage(c
, c2
, bdevtype
, flags
, bdevdata
, newsize
);
3883 /* update utsname */
3884 if (!(flags
& LXC_CLONE_KEEPNAME
)) {
3885 clear_unexp_config_line(c2
->lxc_conf
, "lxc.utsname", false);
3886 clear_unexp_config_line(c2
->lxc_conf
, "lxc.uts.name", false);
3888 if (!do_set_config_item_locked(c2
, "lxc.uts.name", newname
)) {
3889 ERROR("Error setting new hostname");
3895 ret
= copyhooks(c
, c2
);
3897 ERROR("error copying hooks");
3901 if (copy_fstab(c
, c2
) < 0) {
3902 ERROR("error copying fstab");
3906 /* update macaddrs */
3907 if (!(flags
& LXC_CLONE_KEEPMACADDR
)) {
3908 if (!network_new_hwaddrs(c2
->lxc_conf
)) {
3909 ERROR("Error updating mac addresses");
3914 /* Update absolute paths for overlay mount directories. */
3915 if (ovl_update_abs_paths(c2
->lxc_conf
, c
->config_path
, c
->name
, lxcpath
, newname
) < 0)
3918 /* We've now successfully created c2's storage, so clear it out if we
3923 if (!c2
->save_config(c2
, NULL
))
3926 if ((pid
= fork()) < 0) {
3932 ret
= wait_for_pid(pid
);
3936 container_mem_unlock(c
);
3943 data
.hookargs
= hookargs
;
3945 if (am_guest_unpriv())
3946 ret
= userns_exec_full(c
->lxc_conf
, clone_update_rootfs_wrapper
,
3947 &data
, "clone_update_rootfs_wrapper");
3949 ret
= clone_update_rootfs(&data
);
3951 _exit(EXIT_FAILURE
);
3953 container_mem_unlock(c
);
3954 _exit(EXIT_SUCCESS
);
3957 container_mem_unlock(c
);
3959 if (!storage_copied
)
3960 c2
->lxc_conf
->rootfs
.path
= NULL
;
3963 lxc_container_put(c2
);
3969 static struct lxc_container
*lxcapi_clone(struct lxc_container
*c
, const char *newname
,
3970 const char *lxcpath
, int flags
,
3971 const char *bdevtype
, const char *bdevdata
, uint64_t newsize
,
3974 struct lxc_container
* ret
;
3976 current_config
= c
? c
->lxc_conf
: NULL
;
3977 ret
= do_lxcapi_clone(c
, newname
, lxcpath
, flags
, bdevtype
, bdevdata
, newsize
, hookargs
);
3978 current_config
= NULL
;
3983 static bool do_lxcapi_rename(struct lxc_container
*c
, const char *newname
)
3985 struct lxc_storage
*bdev
;
3986 struct lxc_container
*newc
;
3988 if (!c
|| !c
->name
|| !c
->config_path
|| !c
->lxc_conf
)
3991 if (has_fs_snapshots(c
) || has_snapshots(c
)) {
3992 ERROR("Renaming a container with snapshots is not supported");
3996 bdev
= storage_init(c
->lxc_conf
);
3998 ERROR("Failed to find original backing store type");
4002 newc
= lxcapi_clone(c
, newname
, c
->config_path
, LXC_CLONE_KEEPMACADDR
, NULL
, bdev
->type
, 0, NULL
);
4005 lxc_container_put(newc
);
4009 if (newc
&& lxcapi_is_defined(newc
))
4010 lxc_container_put(newc
);
4012 if (!container_destroy(c
, NULL
)) {
4013 ERROR("Could not destroy existing container %s", c
->name
);
4020 WRAP_API_1(bool, lxcapi_rename
, const char *)
4022 static int lxcapi_attach(struct lxc_container
*c
,
4023 lxc_attach_exec_t exec_function
, void *exec_payload
,
4024 lxc_attach_options_t
*options
, pid_t
*attached_process
)
4031 current_config
= c
->lxc_conf
;
4033 ret
= lxc_attach(c
, exec_function
, exec_payload
, options
,
4035 current_config
= NULL
;
4039 static int do_lxcapi_attach_run_wait(struct lxc_container
*c
,
4040 lxc_attach_options_t
*options
,
4041 const char *program
,
4042 const char *const argv
[])
4044 lxc_attach_command_t command
;
4051 command
.program
= (char *)program
;
4052 command
.argv
= (char **)argv
;
4054 ret
= lxc_attach(c
, lxc_attach_run_command
, &command
, options
, &pid
);
4058 return lxc_wait_for_pid_status(pid
);
4061 static int lxcapi_attach_run_wait(struct lxc_container
*c
,
4062 lxc_attach_options_t
*options
,
4063 const char *program
, const char *const argv
[])
4067 current_config
= c
? c
->lxc_conf
: NULL
;
4068 ret
= do_lxcapi_attach_run_wait(c
, options
, program
, argv
);
4069 current_config
= NULL
;
4074 static int get_next_index(const char *lxcpath
, char *cname
)
4076 __do_free
char *fname
= NULL
;
4080 fname
= must_realloc(NULL
, strlen(lxcpath
) + 20);
4083 sprintf(fname
, "%s/snap%d", lxcpath
, i
);
4085 ret
= stat(fname
, &sb
);
4093 static bool get_snappath_dir(struct lxc_container
*c
, char *snappath
)
4098 * If the old style snapshot path exists, use it
4099 * /var/lib/lxc -> /var/lib/lxcsnaps
4101 ret
= snprintf(snappath
, PATH_MAX
, "%ssnaps", c
->config_path
);
4102 if (ret
< 0 || ret
>= PATH_MAX
)
4105 if (dir_exists(snappath
)) {
4106 ret
= snprintf(snappath
, PATH_MAX
, "%ssnaps/%s", c
->config_path
, c
->name
);
4107 if (ret
< 0 || ret
>= PATH_MAX
)
4114 * Use the new style path
4115 * /var/lib/lxc -> /var/lib/lxc + c->name + /snaps + \0
4117 ret
= snprintf(snappath
, PATH_MAX
, "%s/%s/snaps", c
->config_path
, c
->name
);
4118 if (ret
< 0 || ret
>= PATH_MAX
)
4124 static int do_lxcapi_snapshot(struct lxc_container
*c
, const char *commentfile
)
4126 __do_free
char *dfnam
= NULL
;
4131 struct lxc_container
*c2
;
4132 char snappath
[PATH_MAX
], newname
[20];
4136 if (!c
|| !lxcapi_is_defined(c
))
4139 if (!storage_can_backup(c
->lxc_conf
)) {
4140 ERROR("%s's backing store cannot be backed up", c
->name
);
4141 ERROR("Your container must use another backing store type");
4145 if (!get_snappath_dir(c
, snappath
))
4148 i
= get_next_index(snappath
, c
->name
);
4150 if (mkdir_p(snappath
, 0755) < 0) {
4151 ERROR("Failed to create snapshot directory %s", snappath
);
4155 ret
= snprintf(newname
, 20, "snap%d", i
);
4156 if (ret
< 0 || ret
>= 20)
4160 * We pass LXC_CLONE_SNAPSHOT to make sure that a rdepends file entry is
4161 * created in the original container
4163 flags
= LXC_CLONE_SNAPSHOT
| LXC_CLONE_KEEPMACADDR
| LXC_CLONE_KEEPNAME
|
4164 LXC_CLONE_KEEPBDEVTYPE
| LXC_CLONE_MAYBE_SNAPSHOT
;
4165 if (storage_is_dir(c
->lxc_conf
)) {
4166 ERROR("Snapshot of directory-backed container requested");
4167 ERROR("Making a copy-clone. If you do want snapshots, then");
4168 ERROR("please create overlay clone first, snapshot that");
4169 ERROR("and keep the original container pristine");
4170 flags
&= ~LXC_CLONE_SNAPSHOT
| LXC_CLONE_MAYBE_SNAPSHOT
;
4173 c2
= do_lxcapi_clone(c
, newname
, snappath
, flags
, NULL
, NULL
, 0, NULL
);
4175 ERROR("Failed to clone of %s:%s", c
->config_path
, c
->name
);
4179 lxc_container_put(c2
);
4181 /* Now write down the creation time. */
4184 if (!localtime_r(&timer
, &tm_info
)) {
4185 ERROR("Failed to get localtime");
4189 strftime(buffer
, 25, "%Y:%m:%d %H:%M:%S", &tm_info
);
4191 len
= strlen(snappath
) + 1 + strlen(newname
) + 1 + strlen(LXC_TIMESTAMP_FNAME
) + 1;
4192 dfnam
= must_realloc(NULL
, len
);
4193 snprintf(dfnam
, len
, "%s/%s/%s", snappath
, newname
, LXC_TIMESTAMP_FNAME
);
4194 f
= fopen(dfnam
, "we");
4196 ERROR("Failed to open %s", dfnam
);
4200 if (fprintf(f
, "%s", buffer
) < 0) {
4201 SYSERROR("Writing timestamp");
4208 SYSERROR("Writing timestamp");
4213 __do_free
char *path
= NULL
;
4214 /* $p / $name / comment \0 */
4215 len
= strlen(snappath
) + 1 + strlen(newname
) + 1 + strlen(LXC_COMMENT_FNAME
) + 1;
4217 path
= must_realloc(NULL
, len
);
4218 snprintf(path
, len
, "%s/%s/%s", snappath
, newname
, LXC_COMMENT_FNAME
);
4219 return copy_file(commentfile
, path
) < 0 ? -1 : i
;
4225 WRAP_API_1(int, lxcapi_snapshot
, const char *)
4227 static void lxcsnap_free(struct lxc_snapshot
*s
)
4230 free(s
->comment_pathname
);
4235 static char *get_snapcomment_path(char* snappath
, char *name
)
4237 /* $snappath/$name/comment */
4238 int ret
, len
= strlen(snappath
) + strlen(name
) + 10;
4239 char *s
= malloc(len
);
4242 ret
= snprintf(s
, len
, "%s/%s/comment", snappath
, name
);
4243 if (ret
< 0 || ret
>= len
) {
4252 static char *get_timestamp(char* snappath
, char *name
)
4254 __do_free
char *s
= NULL
;
4255 __do_fclose
FILE *fin
= NULL
;
4256 char path
[PATH_MAX
];
4259 ret
= snprintf(path
, PATH_MAX
, "%s/%s/ts", snappath
, name
);
4260 if (ret
< 0 || ret
>= PATH_MAX
)
4263 fin
= fopen(path
, "re");
4267 (void) fseek(fin
, 0, SEEK_END
);
4269 (void) fseek(fin
, 0, SEEK_SET
);
4274 if (fread(s
, 1, len
, fin
) != len
)
4275 return log_error_errno(NULL
, errno
, "reading timestamp");
4282 static int do_lxcapi_snapshot_list(struct lxc_container
*c
, struct lxc_snapshot
**ret_snaps
)
4284 __do_closedir
DIR *dir
= NULL
;
4285 char snappath
[PATH_MAX
], path2
[PATH_MAX
];
4287 struct dirent
*direntp
;
4288 struct lxc_snapshot
*snaps
=NULL
, *nsnaps
;
4290 if (!c
|| !lxcapi_is_defined(c
))
4293 if (!get_snappath_dir(c
, snappath
)) {
4294 ERROR("path name too long");
4298 dir
= opendir(snappath
);
4300 INFO("Failed to open %s - assuming no snapshots", snappath
);
4304 while ((direntp
= readdir(dir
))) {
4305 if (!strcmp(direntp
->d_name
, "."))
4308 if (!strcmp(direntp
->d_name
, ".."))
4311 ret
= snprintf(path2
, PATH_MAX
, "%s/%s/%s", snappath
, direntp
->d_name
, LXC_CONFIG_FNAME
);
4312 if (ret
< 0 || ret
>= PATH_MAX
) {
4313 ERROR("pathname too long");
4317 if (!file_exists(path2
))
4320 nsnaps
= realloc(snaps
, (count
+ 1)*sizeof(*snaps
));
4322 SYSERROR("Out of memory");
4327 snaps
[count
].free
= lxcsnap_free
;
4328 snaps
[count
].name
= strdup(direntp
->d_name
);
4329 if (!snaps
[count
].name
)
4332 snaps
[count
].lxcpath
= strdup(snappath
);
4333 if (!snaps
[count
].lxcpath
) {
4334 free(snaps
[count
].name
);
4338 snaps
[count
].comment_pathname
= get_snapcomment_path(snappath
, direntp
->d_name
);
4339 snaps
[count
].timestamp
= get_timestamp(snappath
, direntp
->d_name
);
4348 for (int i
= 0; i
< count
; i
++)
4349 lxcsnap_free(&snaps
[i
]);
4357 WRAP_API_1(int, lxcapi_snapshot_list
, struct lxc_snapshot
**)
4359 static bool do_lxcapi_snapshot_restore(struct lxc_container
*c
, const char *snapname
, const char *newname
)
4361 char clonelxcpath
[PATH_MAX
];
4363 struct lxc_container
*snap
, *rest
;
4364 struct lxc_storage
*bdev
;
4367 if (!c
|| !c
->name
|| !c
->config_path
)
4370 if (has_fs_snapshots(c
)) {
4371 ERROR("container rootfs has dependent snapshots");
4375 bdev
= storage_init(c
->lxc_conf
);
4377 ERROR("Failed to find original backing store type");
4381 /* For an overlay container the rootfs is considered immutable
4382 * and cannot be removed when restoring from a snapshot. We pass this
4383 * internal flag along to communicate this to various parts of the
4386 if (!strcmp(bdev
->type
, "overlay") || !strcmp(bdev
->type
, "overlayfs"))
4387 bdev
->flags
|= LXC_STORAGE_INTERNAL_OVERLAY_RESTORE
;
4392 if (!get_snappath_dir(c
, clonelxcpath
)) {
4396 /* how should we lock this? */
4398 snap
= lxc_container_new(snapname
, clonelxcpath
);
4399 if (!snap
|| !lxcapi_is_defined(snap
)) {
4400 ERROR("Could not open snapshot %s", snapname
);
4403 lxc_container_put(snap
);
4409 if (!strcmp(c
->name
, newname
)) {
4410 if (!container_destroy(c
, bdev
)) {
4411 ERROR("Could not destroy existing container %s", newname
);
4412 lxc_container_put(snap
);
4418 if (strcmp(bdev
->type
, "dir") != 0 && strcmp(bdev
->type
, "loop") != 0)
4419 flags
= LXC_CLONE_SNAPSHOT
| LXC_CLONE_MAYBE_SNAPSHOT
;
4421 if (!strcmp(bdev
->type
, "overlay") || !strcmp(bdev
->type
, "overlayfs"))
4422 flags
|= LXC_STORAGE_INTERNAL_OVERLAY_RESTORE
;
4424 rest
= lxcapi_clone(snap
, newname
, c
->config_path
, flags
, bdev
->type
,
4427 if (rest
&& lxcapi_is_defined(rest
))
4431 lxc_container_put(rest
);
4433 lxc_container_put(snap
);
4437 WRAP_API_2(bool, lxcapi_snapshot_restore
, const char *, const char *)
4439 static bool do_snapshot_destroy(const char *snapname
, const char *clonelxcpath
)
4441 struct lxc_container
*snap
= NULL
;
4444 snap
= lxc_container_new(snapname
, clonelxcpath
);
4446 ERROR("Could not find snapshot %s", snapname
);
4450 if (!do_lxcapi_destroy(snap
)) {
4451 ERROR("Could not destroy snapshot %s", snapname
);
4459 lxc_container_put(snap
);
4464 static bool remove_all_snapshots(const char *path
)
4466 __do_closedir
DIR *dir
= NULL
;
4467 struct dirent
*direntp
;
4470 dir
= opendir(path
);
4472 SYSERROR("opendir on snapshot path %s", path
);
4476 while ((direntp
= readdir(dir
))) {
4477 if (!strcmp(direntp
->d_name
, "."))
4480 if (!strcmp(direntp
->d_name
, ".."))
4483 if (!do_snapshot_destroy(direntp
->d_name
, path
)) {
4490 SYSERROR("Error removing directory %s", path
);
4495 static bool do_lxcapi_snapshot_destroy(struct lxc_container
*c
, const char *snapname
)
4497 char clonelxcpath
[PATH_MAX
];
4499 if (!c
|| !c
->name
|| !c
->config_path
|| !snapname
)
4502 if (!get_snappath_dir(c
, clonelxcpath
))
4505 return do_snapshot_destroy(snapname
, clonelxcpath
);
4508 WRAP_API_1(bool, lxcapi_snapshot_destroy
, const char *)
4510 static bool do_lxcapi_snapshot_destroy_all(struct lxc_container
*c
)
4512 char clonelxcpath
[PATH_MAX
];
4514 if (!c
|| !c
->name
|| !c
->config_path
)
4517 if (!get_snappath_dir(c
, clonelxcpath
))
4520 return remove_all_snapshots(clonelxcpath
);
4523 WRAP_API(bool, lxcapi_snapshot_destroy_all
)
4525 static bool do_lxcapi_may_control(struct lxc_container
*c
)
4530 return lxc_try_cmd(c
->name
, c
->config_path
) == 0;
4533 WRAP_API(bool, lxcapi_may_control
)
4535 static bool do_add_remove_node(pid_t init_pid
, const char *path
, bool add
,
4541 char chrootpath
[PATH_MAX
];
4542 char *directory_path
= NULL
;
4546 SYSERROR("Failed to fork()");
4551 ret
= wait_for_pid(pid
);
4553 ERROR("Failed to create device node");
4560 /* prepare the path */
4561 ret
= snprintf(chrootpath
, PATH_MAX
, "/proc/%d/root", init_pid
);
4562 if (ret
< 0 || ret
>= PATH_MAX
)
4565 ret
= chroot(chrootpath
);
4567 _exit(EXIT_FAILURE
);
4571 _exit(EXIT_FAILURE
);
4573 /* remove path if it exists */
4574 ret
= faccessat(AT_FDCWD
, path
, F_OK
, AT_SYMLINK_NOFOLLOW
);
4578 SYSERROR("Failed to remove \"%s\"", path
);
4579 _exit(EXIT_FAILURE
);
4584 _exit(EXIT_SUCCESS
);
4586 /* create any missing directories */
4589 _exit(EXIT_FAILURE
);
4591 directory_path
= dirname(tmp
);
4592 ret
= mkdir_p(directory_path
, 0755);
4593 if (ret
< 0 && errno
!= EEXIST
) {
4594 SYSERROR("Failed to create path \"%s\"", directory_path
);
4596 _exit(EXIT_FAILURE
);
4599 /* create the device node */
4600 ret
= mknod(path
, st
->st_mode
, st
->st_rdev
);
4603 SYSERROR("Failed to create device node at \"%s\"", path
);
4604 _exit(EXIT_FAILURE
);
4607 _exit(EXIT_SUCCESS
);
4610 static bool add_remove_device_node(struct lxc_container
*c
, const char *src_path
, const char *dest_path
, bool add
)
4614 char value
[LXC_MAX_BUFFER
];
4618 /* make sure container is running */
4619 if (!do_lxcapi_is_running(c
)) {
4620 ERROR("container is not running");
4624 /* use src_path if dest_path is NULL otherwise use dest_path */
4625 p
= dest_path
? dest_path
: src_path
;
4627 /* make sure we can access p */
4628 if(access(p
, F_OK
) < 0 || stat(p
, &st
) < 0)
4631 /* continue if path is character device or block device */
4632 if (S_ISCHR(st
.st_mode
))
4633 ret
= snprintf(value
, LXC_MAX_BUFFER
, "c %d:%d rwm", major(st
.st_rdev
), minor(st
.st_rdev
));
4634 else if (S_ISBLK(st
.st_mode
))
4635 ret
= snprintf(value
, LXC_MAX_BUFFER
, "b %d:%d rwm", major(st
.st_rdev
), minor(st
.st_rdev
));
4639 /* check snprintf return code */
4640 if (ret
< 0 || ret
>= LXC_MAX_BUFFER
)
4643 init_pid
= do_lxcapi_init_pid(c
);
4645 ERROR("Failed to get init pid");
4649 if (!do_add_remove_node(init_pid
, p
, add
, &st
))
4652 /* add or remove device to/from cgroup access list */
4654 if (!do_lxcapi_set_cgroup_item(c
, "devices.allow", value
)) {
4655 ERROR("set_cgroup_item failed while adding the device node");
4659 if (!do_lxcapi_set_cgroup_item(c
, "devices.deny", value
)) {
4660 ERROR("set_cgroup_item failed while removing the device node");
4668 static bool do_lxcapi_add_device_node(struct lxc_container
*c
, const char *src_path
, const char *dest_path
)
4670 // cannot mknod if we're not privileged wrt init_user_ns
4671 if (am_host_unpriv()) {
4672 ERROR(LXC_UNPRIV_EOPNOTSUPP
, __FUNCTION__
);
4676 return add_remove_device_node(c
, src_path
, dest_path
, true);
4679 WRAP_API_2(bool, lxcapi_add_device_node
, const char *, const char *)
4681 static bool do_lxcapi_remove_device_node(struct lxc_container
*c
, const char *src_path
, const char *dest_path
)
4683 if (am_guest_unpriv()) {
4684 ERROR(LXC_UNPRIV_EOPNOTSUPP
, __FUNCTION__
);
4688 return add_remove_device_node(c
, src_path
, dest_path
, false);
4691 WRAP_API_2(bool, lxcapi_remove_device_node
, const char *, const char *)
4693 static bool do_lxcapi_attach_interface(struct lxc_container
*c
,
4695 const char *dst_ifname
)
4700 if (am_guest_unpriv()) {
4701 ERROR(LXC_UNPRIV_EOPNOTSUPP
, __FUNCTION__
);
4706 ERROR("No source interface name given");
4710 ret
= lxc_netdev_isup(ifname
);
4712 /* netdev of ifname is up. */
4713 ret
= lxc_netdev_down(ifname
);
4718 init_pid
= do_lxcapi_init_pid(c
);
4720 ERROR("Failed to get init pid");
4724 ret
= lxc_netdev_move_by_name(ifname
, init_pid
, dst_ifname
);
4728 INFO("Moved network device \"%s\" to network namespace of %d", ifname
, init_pid
);
4735 WRAP_API_2(bool, lxcapi_attach_interface
, const char *, const char *)
4737 static bool do_lxcapi_detach_interface(struct lxc_container
*c
,
4739 const char *dst_ifname
)
4742 pid_t pid
, pid_outside
;
4743 __do_free
char *physname
= NULL
;
4746 * TODO - if this is a physical device, then we need am_host_unpriv.
4747 * But for other types guest privilege suffices.
4749 if (am_guest_unpriv()) {
4750 ERROR(LXC_UNPRIV_EOPNOTSUPP
, __FUNCTION__
);
4755 ERROR("No source interface name given");
4759 pid_outside
= lxc_raw_getpid();
4762 ERROR("Failed to fork");
4766 if (pid
== 0) { /* child */
4769 init_pid
= do_lxcapi_init_pid(c
);
4771 ERROR("Failed to get init pid");
4772 _exit(EXIT_FAILURE
);
4774 if (!switch_to_ns(init_pid
, "net")) {
4775 ERROR("Failed to enter network namespace");
4776 _exit(EXIT_FAILURE
);
4779 /* create new mount namespace for use with remounting /sys and is_wlan() below. */
4780 ret
= unshare(CLONE_NEWNS
);
4782 ERROR("Failed to unshare mount namespace");
4783 _exit(EXIT_FAILURE
);
4786 /* set / recursively as private so that mount propagation doesn't affect us. */
4787 if (mount(NULL
, "/", NULL
, MS_REC
| MS_PRIVATE
, 0) < 0) {
4788 ERROR("Failed to recursively set / as private in mount namespace");
4789 _exit(EXIT_FAILURE
);
4792 ret
= lxc_netdev_isup(ifname
);
4794 ERROR("Failed to determine whether network device \"%s\" is up", ifname
);
4795 _exit(EXIT_FAILURE
);
4798 /* netdev of ifname is up. */
4800 ret
= lxc_netdev_down(ifname
);
4802 ERROR("Failed to set network device \"%s\" down", ifname
);
4803 _exit(EXIT_FAILURE
);
4807 /* remount /sys so is_wlan() can check if this device is a wlan device. */
4808 lxc_attach_remount_sys_proc();
4809 physname
= is_wlan(ifname
);
4811 ret
= lxc_netdev_move_wlan(physname
, ifname
, pid_outside
, dst_ifname
);
4813 ret
= lxc_netdev_move_by_name(ifname
, pid_outside
, dst_ifname
);
4815 /* -EINVAL means there is no netdev named as ifname. */
4818 ERROR("Network device \"%s\" not found", ifname
);
4820 ERROR("Failed to remove network device \"%s\"", ifname
);
4822 _exit(EXIT_FAILURE
);
4825 _exit(EXIT_SUCCESS
);
4828 ret
= wait_for_pid(pid
);
4832 INFO("Moved network device \"%s\" to network namespace of %d", ifname
, pid_outside
);
4836 WRAP_API_2(bool, lxcapi_detach_interface
, const char *, const char *)
4838 static int do_lxcapi_migrate(struct lxc_container
*c
, unsigned int cmd
,
4839 struct migrate_opts
*opts
, unsigned int size
)
4842 struct migrate_opts
*valid_opts
= opts
;
4843 uint64_t features_to_check
= 0;
4845 /* If the caller has a bigger (newer) struct migrate_opts, let's make
4846 * sure that the stuff on the end is zero, i.e. that they didn't ask us
4847 * to do anything special.
4849 if (size
> sizeof(*opts
)) {
4850 unsigned char *addr
;
4853 addr
= (void *)opts
+ sizeof(*opts
);
4854 end
= (void *)opts
+ size
;
4856 for (; addr
< end
; addr
++)
4861 /* If the caller has a smaller struct, let's zero out the end for them
4862 * so we don't accidentally use bits of it that they didn't know about
4865 if (size
< sizeof(*opts
)) {
4866 valid_opts
= malloc(sizeof(*opts
));
4870 memset(valid_opts
, 0, sizeof(*opts
));
4871 memcpy(valid_opts
, opts
, size
);
4875 case MIGRATE_PRE_DUMP
:
4876 if (!do_lxcapi_is_running(c
)) {
4877 ERROR("container is not running");
4881 ret
= !__criu_pre_dump(c
, valid_opts
);
4884 if (!do_lxcapi_is_running(c
)) {
4885 ERROR("container is not running");
4889 ret
= !__criu_dump(c
, valid_opts
);
4891 case MIGRATE_RESTORE
:
4892 if (do_lxcapi_is_running(c
)) {
4893 ERROR("container is already running");
4897 ret
= !__criu_restore(c
, valid_opts
);
4899 case MIGRATE_FEATURE_CHECK
:
4900 features_to_check
= valid_opts
->features_to_check
;
4901 ret
= !__criu_check_feature(&features_to_check
);
4903 /* Something went wrong. Let's let the caller
4904 * know which feature checks failed. */
4905 valid_opts
->features_to_check
= features_to_check
;
4909 ERROR("invalid migrate command %u", cmd
);
4914 if (size
< sizeof(*opts
))
4920 WRAP_API_3(int, lxcapi_migrate
, unsigned int, struct migrate_opts
*, unsigned int)
4922 static bool do_lxcapi_checkpoint(struct lxc_container
*c
, char *directory
, bool stop
, bool verbose
)
4924 struct migrate_opts opts
;
4926 memset(&opts
, 0, sizeof(opts
));
4928 opts
.directory
= directory
;
4930 opts
.verbose
= verbose
;
4932 return !do_lxcapi_migrate(c
, MIGRATE_DUMP
, &opts
, sizeof(opts
));
4935 WRAP_API_3(bool, lxcapi_checkpoint
, char *, bool, bool)
4937 static bool do_lxcapi_restore(struct lxc_container
*c
, char *directory
, bool verbose
)
4939 struct migrate_opts opts
;
4941 memset(&opts
, 0, sizeof(opts
));
4943 opts
.directory
= directory
;
4944 opts
.verbose
= verbose
;
4946 return !do_lxcapi_migrate(c
, MIGRATE_RESTORE
, &opts
, sizeof(opts
));
4949 WRAP_API_2(bool, lxcapi_restore
, char *, bool)
4951 /* @st_mode is the st_mode field of the stat(source) return struct */
4952 static int create_mount_target(const char *dest
, mode_t st_mode
)
4954 char *dirdup
, *destdirname
;
4957 dirdup
= strdup(dest
);
4959 SYSERROR("Failed to duplicate target name \"%s\"", dest
);
4962 destdirname
= dirname(dirdup
);
4964 ret
= mkdir_p(destdirname
, 0755);
4966 SYSERROR("Failed to create \"%s\"", destdirname
);
4974 if (S_ISDIR(st_mode
))
4975 ret
= mkdir(dest
, 0000);
4977 ret
= mknod(dest
, S_IFREG
| 0000, 0);
4980 TRACE("Created mount target \"%s\"", dest
);
4981 else if (ret
< 0 && errno
!= EEXIST
) {
4982 SYSERROR("Failed to create mount target \"%s\"", dest
);
4989 static int do_lxcapi_mount(struct lxc_container
*c
, const char *source
,
4990 const char *target
, const char *filesystemtype
,
4991 unsigned long mountflags
, const void *data
,
4992 struct lxc_mount
*mnt
)
4995 char template[PATH_MAX
], path
[PATH_MAX
];
4996 pid_t pid
, init_pid
;
4999 int ret
= -1, fd
= -EBADF
;
5001 if (!c
|| !c
->lxc_conf
) {
5002 ERROR("Container or configuration is NULL");
5006 if (!c
->lxc_conf
->shmount
.path_host
) {
5007 ERROR("Host path to shared mountpoint must be specified in the config\n");
5011 ret
= snprintf(template, sizeof(template), "%s/.lxcmount_XXXXXX", c
->lxc_conf
->shmount
.path_host
);
5012 if (ret
< 0 || (size_t)ret
>= sizeof(template)) {
5013 SYSERROR("Error writing shmounts tempdir name");
5017 /* Create a temporary file / dir under the shared mountpoint */
5018 if (!source
|| strcmp(source
, "") == 0) {
5019 /* If source is not specified, maybe we want to mount a filesystem? */
5020 sb
.st_mode
= S_IFDIR
;
5022 ret
= stat(source
, &sb
);
5024 SYSERROR("Error getting stat info about the source \"%s\"", source
);
5029 is_dir
= (S_ISDIR(sb
.st_mode
) != 0);
5031 sret
= mkdtemp(template);
5033 SYSERROR("Could not create shmounts temporary dir");
5037 fd
= lxc_make_tmpfile(template, false);
5039 SYSERROR("Could not create shmounts temporary file");
5047 SYSERROR("Could not fork");
5053 ret
= mount(source
, template, filesystemtype
, mountflags
, data
);
5055 SYSERROR("Failed to mount onto \"%s\"", template);
5056 _exit(EXIT_FAILURE
);
5058 TRACE("Mounted \"%s\" onto \"%s\"", source
, template);
5060 init_pid
= do_lxcapi_init_pid(c
);
5062 ERROR("Failed to obtain container's init pid");
5063 _exit(EXIT_FAILURE
);
5066 /* Enter the container namespaces */
5067 if (!lxc_list_empty(&c
->lxc_conf
->id_map
)) {
5068 if (!switch_to_ns(init_pid
, "user")) {
5069 ERROR("Failed to enter user namespace");
5070 _exit(EXIT_FAILURE
);
5073 if (!lxc_switch_uid_gid(0, 0))
5074 _exit(EXIT_FAILURE
);
5077 if (!switch_to_ns(init_pid
, "mnt")) {
5078 ERROR("Failed to enter mount namespace");
5079 _exit(EXIT_FAILURE
);
5082 ret
= create_mount_target(target
, sb
.st_mode
);
5084 _exit(EXIT_FAILURE
);
5086 suff
= strrchr(template, '/');
5088 goto cleanup_target_in_child
;
5090 ret
= snprintf(path
, sizeof(path
), "%s%s", c
->lxc_conf
->shmount
.path_cont
, suff
);
5091 if (ret
< 0 || (size_t)ret
>= sizeof(path
)) {
5092 SYSERROR("Error writing container mountpoint name");
5093 goto cleanup_target_in_child
;
5096 ret
= mount(path
, target
, NULL
, MS_MOVE
| MS_REC
, NULL
);
5098 SYSERROR("Failed to move the mount from \"%s\" to \"%s\"", path
, target
);
5099 goto cleanup_target_in_child
;
5101 TRACE("Moved mount from \"%s\" to \"%s\"", path
, target
);
5103 _exit(EXIT_SUCCESS
);
5105 cleanup_target_in_child
:
5106 (void)remove(target
);
5107 _exit(EXIT_FAILURE
);
5110 ret
= wait_for_pid(pid
);
5112 SYSERROR("Wait for the child with pid %ld failed", (long)pid
);
5116 if (umount2(template, MNT_DETACH
))
5117 SYSWARN("Failed to remove temporary mount \"%s\"", template);
5120 (void)rmdir(template);
5122 (void)unlink(template);
5131 WRAP_API_6(int, lxcapi_mount
, const char *, const char *, const char *,
5132 unsigned long, const void *, struct lxc_mount
*)
5134 static int do_lxcapi_umount(struct lxc_container
*c
, const char *target
,
5135 unsigned long flags
, struct lxc_mount
*mnt
)
5137 pid_t pid
, init_pid
;
5140 if (!c
|| !c
->lxc_conf
) {
5141 ERROR("Container or configuration is NULL");
5148 SYSERROR("Could not fork");
5153 init_pid
= do_lxcapi_init_pid(c
);
5155 ERROR("Failed to obtain container's init pid");
5156 _exit(EXIT_FAILURE
);
5159 /* Enter the container namespaces */
5160 if (!lxc_list_empty(&c
->lxc_conf
->id_map
)) {
5161 if (!switch_to_ns(init_pid
, "user")) {
5162 ERROR("Failed to enter user namespace");
5163 _exit(EXIT_FAILURE
);
5167 if (!switch_to_ns(init_pid
, "mnt")) {
5168 ERROR("Failed to enter mount namespace");
5169 _exit(EXIT_FAILURE
);
5172 /* Do the unmount */
5173 ret
= umount2(target
, flags
);
5175 SYSERROR("Failed to umount \"%s\"", target
);
5176 _exit(EXIT_FAILURE
);
5179 _exit(EXIT_SUCCESS
);
5182 ret
= wait_for_pid(pid
);
5184 SYSERROR("Wait for the child with pid %ld failed", (long)pid
);
5191 WRAP_API_3(int, lxcapi_umount
, const char *, unsigned long, struct lxc_mount
*)
5193 static int lxcapi_attach_run_waitl(struct lxc_container
*c
, lxc_attach_options_t
*options
, const char *program
, const char *arg
, ...)
5202 current_config
= c
->lxc_conf
;
5205 argv
= lxc_va_arg_list_to_argv_const(ap
, 1);
5209 ERROR("Memory allocation error.");
5215 ret
= do_lxcapi_attach_run_wait(c
, options
, program
, (const char * const *)argv
);
5219 current_config
= NULL
;
5223 static int do_lxcapi_seccomp_notify_fd(struct lxc_container
*c
)
5225 if (!c
|| !c
->lxc_conf
)
5226 return ret_set_errno(-1, -EINVAL
);
5228 return lxc_seccomp_get_notify_fd(&c
->lxc_conf
->seccomp
);
5231 WRAP_API(int, lxcapi_seccomp_notify_fd
)
5233 struct lxc_container
*lxc_container_new(const char *name
, const char *configpath
)
5235 struct lxc_container
*c
;
5242 c
= malloc(sizeof(*c
));
5244 fprintf(stderr
, "Failed to allocate memory for %s\n", name
);
5247 memset(c
, 0, sizeof(*c
));
5250 c
->config_path
= strdup(configpath
);
5252 c
->config_path
= strdup(lxc_global_config_value("lxc.lxcpath"));
5253 if (!c
->config_path
) {
5254 fprintf(stderr
, "Failed to allocate memory for %s\n", name
);
5258 remove_trailing_slashes(c
->config_path
);
5261 c
->name
= malloc(len
+ 1);
5263 fprintf(stderr
, "Failed to allocate memory for %s\n", name
);
5266 (void)strlcpy(c
->name
, name
, len
+ 1);
5269 c
->slock
= lxc_newlock(c
->config_path
, name
);
5271 fprintf(stderr
, "Failed to create lock for %s\n", name
);
5275 c
->privlock
= lxc_newlock(NULL
, NULL
);
5277 fprintf(stderr
, "Failed to create private lock for %s\n", name
);
5281 if (!set_config_filename(c
)) {
5282 fprintf(stderr
, "Failed to create config file name for %s\n", name
);
5286 if (file_exists(c
->configfile
) && !lxcapi_load_config(c
, NULL
)) {
5287 fprintf(stderr
, "Failed to load config for %s\n", name
);
5291 rc
= ongoing_create(c
);
5293 case LXC_CREATE_INCOMPLETE
:
5294 SYSERROR("Failed to complete container creation for %s", c
->name
);
5295 container_destroy(c
, NULL
);
5296 lxcapi_clear_config(c
);
5298 case LXC_CREATE_ONGOING
:
5299 /* container creation going on */
5301 case LXC_CREATE_FAILED
:
5302 /* container creation failed */
5303 if (errno
!= EACCES
&& errno
!= EPERM
) {
5304 /* insufficient privileges */
5305 SYSERROR("Failed checking for incomplete container %s creation", c
->name
);
5311 c
->daemonize
= true;
5314 /* Assign the member functions. */
5315 c
->is_defined
= lxcapi_is_defined
;
5316 c
->state
= lxcapi_state
;
5317 c
->is_running
= lxcapi_is_running
;
5318 c
->freeze
= lxcapi_freeze
;
5319 c
->unfreeze
= lxcapi_unfreeze
;
5320 c
->console
= lxcapi_console
;
5321 c
->console_getfd
= lxcapi_console_getfd
;
5322 c
->init_pid
= lxcapi_init_pid
;
5323 c
->init_pidfd
= lxcapi_init_pidfd
;
5324 c
->load_config
= lxcapi_load_config
;
5325 c
->want_daemonize
= lxcapi_want_daemonize
;
5326 c
->want_close_all_fds
= lxcapi_want_close_all_fds
;
5327 c
->start
= lxcapi_start
;
5328 c
->startl
= lxcapi_startl
;
5329 c
->stop
= lxcapi_stop
;
5330 c
->config_file_name
= lxcapi_config_file_name
;
5331 c
->wait
= lxcapi_wait
;
5332 c
->set_config_item
= lxcapi_set_config_item
;
5333 c
->destroy
= lxcapi_destroy
;
5334 c
->destroy_with_snapshots
= lxcapi_destroy_with_snapshots
;
5335 c
->rename
= lxcapi_rename
;
5336 c
->save_config
= lxcapi_save_config
;
5337 c
->get_keys
= lxcapi_get_keys
;
5338 c
->create
= lxcapi_create
;
5339 c
->createl
= lxcapi_createl
;
5340 c
->shutdown
= lxcapi_shutdown
;
5341 c
->reboot
= lxcapi_reboot
;
5342 c
->reboot2
= lxcapi_reboot2
;
5343 c
->clear_config
= lxcapi_clear_config
;
5344 c
->clear_config_item
= lxcapi_clear_config_item
;
5345 c
->get_config_item
= lxcapi_get_config_item
;
5346 c
->get_running_config_item
= lxcapi_get_running_config_item
;
5347 c
->get_cgroup_item
= lxcapi_get_cgroup_item
;
5348 c
->set_cgroup_item
= lxcapi_set_cgroup_item
;
5349 c
->get_config_path
= lxcapi_get_config_path
;
5350 c
->set_config_path
= lxcapi_set_config_path
;
5351 c
->clone
= lxcapi_clone
;
5352 c
->get_interfaces
= lxcapi_get_interfaces
;
5353 c
->get_ips
= lxcapi_get_ips
;
5354 c
->attach
= lxcapi_attach
;
5355 c
->attach_run_wait
= lxcapi_attach_run_wait
;
5356 c
->attach_run_waitl
= lxcapi_attach_run_waitl
;
5357 c
->snapshot
= lxcapi_snapshot
;
5358 c
->snapshot_list
= lxcapi_snapshot_list
;
5359 c
->snapshot_restore
= lxcapi_snapshot_restore
;
5360 c
->snapshot_destroy
= lxcapi_snapshot_destroy
;
5361 c
->snapshot_destroy_all
= lxcapi_snapshot_destroy_all
;
5362 c
->may_control
= lxcapi_may_control
;
5363 c
->add_device_node
= lxcapi_add_device_node
;
5364 c
->remove_device_node
= lxcapi_remove_device_node
;
5365 c
->attach_interface
= lxcapi_attach_interface
;
5366 c
->detach_interface
= lxcapi_detach_interface
;
5367 c
->checkpoint
= lxcapi_checkpoint
;
5368 c
->restore
= lxcapi_restore
;
5369 c
->migrate
= lxcapi_migrate
;
5370 c
->console_log
= lxcapi_console_log
;
5371 c
->mount
= lxcapi_mount
;
5372 c
->umount
= lxcapi_umount
;
5373 c
->seccomp_notify_fd
= lxcapi_seccomp_notify_fd
;
5378 lxc_container_free(c
);
5382 int lxc_get_wait_states(const char **states
)
5387 for (i
=0; i
<MAX_STATE
; i
++)
5388 states
[i
] = lxc_state2str(i
);
5394 * These next two could probably be done smarter with reusing a common function
5395 * with different iterators and tests...
5397 int list_defined_containers(const char *lxcpath
, char ***names
, struct lxc_container
***cret
)
5399 __do_closedir
DIR *dir
= NULL
;
5400 int i
, cfound
= 0, nfound
= 0;
5401 struct dirent
*direntp
;
5402 struct lxc_container
*c
;
5405 lxcpath
= lxc_global_config_value("lxc.lxcpath");
5407 dir
= opendir(lxcpath
);
5409 SYSERROR("opendir on lxcpath");
5419 while ((direntp
= readdir(dir
))) {
5420 /* Ignore '.', '..' and any hidden directory. */
5421 if (!strncmp(direntp
->d_name
, ".", 1))
5424 if (!config_file_exists(lxcpath
, direntp
->d_name
))
5428 if (!add_to_array(names
, direntp
->d_name
, cfound
))
5438 c
= lxc_container_new(direntp
->d_name
, lxcpath
);
5440 INFO("Container %s:%s has a config but could not be loaded",
5441 lxcpath
, direntp
->d_name
);
5444 if(!remove_from_array(names
, direntp
->d_name
, cfound
--))
5450 if (!do_lxcapi_is_defined(c
)) {
5451 INFO("Container %s:%s has a config but is not defined",
5452 lxcpath
, direntp
->d_name
);
5455 if(!remove_from_array(names
, direntp
->d_name
, cfound
--))
5458 lxc_container_put(c
);
5462 if (!add_to_clist(cret
, c
, nfound
, true)) {
5463 lxc_container_put(c
);
5473 if (names
&& *names
) {
5474 for (i
= 0; i
< cfound
; i
++)
5479 if (cret
&& *cret
) {
5480 for (i
= 0; i
< nfound
; i
++)
5481 lxc_container_put((*cret
)[i
]);
5488 int list_active_containers(const char *lxcpath
, char ***nret
,
5489 struct lxc_container
***cret
)
5491 __do_free
char *line
= NULL
;
5492 __do_fclose
FILE *f
= NULL
;
5493 int i
, ret
= -1, cret_cnt
= 0, ct_name_cnt
= 0;
5495 char **ct_name
= NULL
;
5497 struct lxc_container
*c
= NULL
;
5501 lxcpath
= lxc_global_config_value("lxc.lxcpath");
5502 lxcpath_len
= strlen(lxcpath
);
5510 f
= fopen("/proc/net/unix", "re");
5514 while (getline(&line
, &len
, f
) != -1) {
5515 char *p
= strrchr(line
, ' '), *p2
;
5526 if (strncmp(p
, lxcpath
, lxcpath_len
) == 0) {
5528 } else if (strncmp(p
, "lxc/", 4) == 0) {
5538 /* Now p is the start of lxc_name. */
5539 p2
= strchr(p
, '/');
5540 if (!p2
|| strncmp(p2
, "/command", 8) != 0)
5545 char *recvpath
= lxc_cmd_get_lxcpath(p
);
5549 if (strncmp(lxcpath
, recvpath
, lxcpath_len
) != 0) {
5555 p
= lxc_cmd_get_name(p
);
5560 if (array_contains(&ct_name
, p
, ct_name_cnt
)) {
5566 if (!add_to_array(&ct_name
, p
, ct_name_cnt
)) {
5569 goto free_cret_list
;
5580 c
= lxc_container_new(p
, lxcpath
);
5582 INFO("Container %s:%s is running but could not be loaded",
5585 remove_from_array(&ct_name
, p
, ct_name_cnt
--);
5596 * If this is an anonymous container, then is_defined *can*
5597 * return false. So we don't do that check. Count on the
5598 * fact that the command socket exists.
5601 if (!add_to_clist(cret
, c
, cret_cnt
, true)) {
5602 lxc_container_put(c
);
5603 goto free_cret_list
;
5609 if (nret
&& cret
&& cret_cnt
!= ct_name_cnt
) {
5611 lxc_container_put(c
);
5612 goto free_cret_list
;
5624 if (cret
&& *cret
) {
5625 for (i
= 0; i
< cret_cnt
; i
++)
5626 lxc_container_put((*cret
)[i
]);
5632 for (i
= 0; i
< ct_name_cnt
; i
++)
5641 int list_all_containers(const char *lxcpath
, char ***nret
,
5642 struct lxc_container
***cret
)
5644 int i
, ret
, active_cnt
, ct_cnt
, ct_list_cnt
;
5647 struct lxc_container
**ct_list
= NULL
;
5649 ct_cnt
= list_defined_containers(lxcpath
, &ct_name
, NULL
);
5653 active_cnt
= list_active_containers(lxcpath
, &active_name
, NULL
);
5654 if (active_cnt
< 0) {
5659 for (i
= 0; i
< active_cnt
; i
++) {
5660 if (!array_contains(&ct_name
, active_name
[i
], ct_cnt
)) {
5661 if (!add_to_array(&ct_name
, active_name
[i
], ct_cnt
)) {
5663 goto free_active_name
;
5669 free(active_name
[i
]);
5670 active_name
[i
] = NULL
;
5677 for (i
= 0, ct_list_cnt
= 0; i
< ct_cnt
&& cret
; i
++) {
5678 struct lxc_container
*c
;
5680 c
= lxc_container_new(ct_name
[i
], lxcpath
);
5682 WARN("Container %s:%s could not be loaded", lxcpath
, ct_name
[i
]);
5683 remove_from_array(&ct_name
, ct_name
[i
], ct_cnt
--);
5687 if (!add_to_clist(&ct_list
, c
, ct_list_cnt
, false)) {
5688 lxc_container_put(c
);
5709 for (i
= 0; i
< ct_list_cnt
; i
++) {
5710 lxc_container_put(ct_list
[i
]);
5715 for (i
= 0; i
< active_cnt
; i
++) {
5716 free(active_name
[i
]);
5721 for (i
= 0; i
< ct_cnt
; i
++) {
5728 bool lxc_config_item_is_supported(const char *key
)
5730 return !!lxc_get_config(key
);
5733 bool lxc_has_api_extension(const char *extension
)
5735 /* The NULL API extension is always present. :) */
5739 for (size_t i
= 0; i
< nr_api_extensions
; i
++)
5740 if (strcmp(api_extensions
[i
], extension
) == 0)