fix expansion of LXCPATH,LXCROOTFSMOUNT,LXCTEMPLATEDIR
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
This commit adds lxc-start-ephemeral as a python script using the
new python-lxc API.
This script is somewhat similar to lxc-clone except that it uses
overlayfs or aufs to provide an overlay on top of the source container.
It also allows the user to directly run a command in the container using
SSH and can fetch the IP address from the container when starting the
container in the background.
The initial work on lxc-start-ephemeral was done by Serge Hallyn in Ubuntu,
this is a re-implementation of it using python and the new LXC hooks.
Compared to the shell implementation, there are three notable differences:
- When starting without a command, lxc-start-ephemeral now attaches to tty1
- When starting in the background (-d), the name and IP of the container is
shown on screen.
- A new "-k" option is added, allowing the user to keep the ephemeral
container after shutdown. This turns off the tmpfs backend and sets up the
hooks so that the container can be started/stopped multiple times.
This code was addeed to deal with stopped/dead containers but
really shouldn't be implemented there. Instead the setsid() call in
start() should be enough to prevent python from getting the SIGCHLD and
having to deal with it.
Serge Hallyn [Fri, 31 Aug 2012 17:25:38 +0000 (12:25 -0500)]
Add lxc.hook.pre-mount
This happens in the container's namespace, but before the rootfs is
setup and mounted. This gives us a chance to mangle the rootfs - i.e.
ecryptfs-mount it.
Stéphane Graber [Wed, 29 Aug 2012 16:27:53 +0000 (09:27 -0700)]
Add lxc.aa_profile example to all templates
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Stéphane Graber [Mon, 27 Aug 2012 22:53:00 +0000 (18:53 -0400)]
Merge the liblxc API work by Serge Hallyn.
This turns liblxc into a public library implementing a container structure.
The container structure is meant to cover most LXC commands and can easily be
used to write bindings in other programming languages.
More information on the new functions can be found in src/lxc/lxccontainer.h
Test programs using the API can also be found in src/tests/
Christian Seiler [Tue, 21 Aug 2012 22:03:16 +0000 (00:03 +0200)]
lxc-attach: Add -R option to remount /sys and /proc when only partially attaching
When attaching to only some namespaces of the container but not the mount
namespace, the contents of /sys and /proc of the host system do not properly
reflect the context of the container's pid and/or network namespaces, and
possibly others.
The introduced -R option adds the possibility to additionally unshare the
mount namespace (when it is not being attached) and remount /sys and /proc
in order for those filesystems to properly reflect the container's context
even when only attaching to some of the namespaces.
Signed-off-by: Christian Seiler <christian@iwakd.de> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Christian Seiler [Tue, 21 Aug 2012 22:03:15 +0000 (00:03 +0200)]
lxc-attach: Add -s option to select namespaces to attach to
This patch allows the user to select any list of namespaces (network, pid,
mount, uts, ipc, user) that lxc-attach should use when attaching to the
container; all other namespaces will not be attached to.
This allows the user to for example attach to just the network namespace and
use the host's (and not the container's) network tools to reconfigure the
network of the container.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:14 +0000 (00:03 +0200)]
lxc-unshare: Move functions to determine clone flags from command line options to namespace.c
In order to be able to reuse code in lxc-attach, the functions
lxc_namespace_2_cloneflag and lxc_fill_namespace_flags are moved from
lxc_unshare.c to namespace.c.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:13 +0000 (00:03 +0200)]
lxc-attach: Detect which namespaces to attach to dynamically
Use the command interface to contact lxc-start to receive the set of
flags passed to clone() when starting the container. This allows lxc-attach
to determine which namespaces were used for the container and select only
those to attach to.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:12 +0000 (00:03 +0200)]
lxc-attach: Remodel cgroup attach logic and attach to namespaces again in parent process
With the introduction of lxc-attach's functionality to attach to cgroups,
the setns() calls were put in the child process after the fork() and not the
parent process before the fork() so the parent process remained outside the
namespaces and could add the child to the correct cgroup.
Unfortunately, the pid namespace really affects only children of the current
process and not the process itself, which has several drawbacks: The
attached program does not have a pid inside the container and the context
that is used when remounting /proc from that process is wrong. Thus, the
previous logic of first setting the namespaces and then forking so the child
process (which then exec()s to the desired program) is a real member of the
container.
However, inside the container, there is no guarantee that the cgroup
filesystem is still be mounted and that we are allowed to write to it (which
is why the setns() was moved in the first place).
To work around both problems, we separate the cgroup attach functionality
into two parts: Preparing the attach process, which just opens the tasks
files of all cgroups and keeps the file descriptors open and the writing to
those fds part. This allows us to open all the tasks files in lxc_attach,
then call setns(), then fork, in the child process close them completely and
in the parent process just write the pid of the child process to all those
fds.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:11 +0000 (00:03 +0200)]
lxc-start: Add command to retrieve the clone flags used to start the container.
Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
when the container was started. This allows external programs to determine
which namespaces the container was unshared from.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Serge Hallyn [Tue, 21 Aug 2012 15:11:23 +0000 (10:11 -0500)]
lxc-create: Make location of container rootfs configurable
Make 'dir' an explicit backing store type, which accepts '--dir rootfs'
as an option to specify a custom location for the container rootfs. Also
update lxc-destroy to now remove the rootfs separately, as removing
@LXCPATH@/$name may not hit it.
Jan Kiszka [Mon, 9 Jul 2012 17:15:48 +0000 (19:15 +0200)]
Add network-down script
Analogously to lxc.network.script.up, add the ability to register a down
script. It is called before the guest network is finally destroyed,
allowing to clean up resources that are not reset/destroyed
automatically. Parameters of the down script are identical to the up
script except for the execution context "down".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch is so far just a proof of concept. The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.
This patch introduces support for seccomp to lxc. Seccomp lets a program
restrict its own (and its children's) future access to system calls. It
uses a simple whitelist system call policy file. It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).
I just wanted to get this out there as a first step. You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp
Jan Kiszka [Thu, 9 Aug 2012 22:54:48 +0000 (17:54 -0500)]
lxc-wait: Add timeout option
Allow to specify a timeout for waiting on state changes via lxc-wait.
Helpful for scripts that need to handle errors or excessive delays in
state changing procedures.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Dwight Engen [Wed, 31 Oct 2012 16:08:13 +0000 (17:08 +0100)]
Fix lxc-netstat -- argument processing
Commit 21e487f2 introduced the use of getopt, but getopt will fail when
it sees arguments meant for netstat that are not in [short|long]options.
There should not be any ambiguity about arguments with the same letter:
those to the left of the -- are destined for lxc-netstat and those to
the right for the real netstat, which the original code handles by
shifting out all arguments it recognizes before the -- is hit.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Thu, 25 Oct 2012 20:21:53 +0000 (16:21 -0400)]
Fix lxc-ps -- argument processing
lxc-ps is supposed to pass arguments after the -- on to ps. The problem is
that i is expanded once from $@ and the loop will iterate over all the
arguments that were in $@ at the time of expansion. Inside the loop, there
are shifts (in the name case for example) that are trying to remove more
than a single argument. This changes fixes that and makes lxc-ps work as
documented.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Wed, 31 Oct 2012 16:08:13 +0000 (17:08 +0100)]
Add %{dist} tag to differentiate RPM distributions and releases
Note that an additional Release field is not necessary for the devel package
as it will follow the primary Release field. For more information on the dist
tag, see http://fedoraproject.org/wiki/Packaging:DistTag
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Wed, 31 Oct 2012 15:39:50 +0000 (16:39 +0100)]
Merge branch 'upstream-bugfix' of https://github.com/lxc/lxc
* 'upstream-bugfix' of https://github.com/lxc/lxc: (47 commits)
replace HOOK define with proper code.
Remove lxc-start-ephemeral from configure.ac
revert devtmpfs in ubuntu templates
lxc-ubuntu{-cloud}: Fix missing "fi" in new devtmpfs code
fix "make rpm"
display warning when yum missing in fedora template
templates: mount devtmpfs in ubuntu containers
handle clone of btrfs snapshots
if the rootfs is a btrfs subvolume, delete it instead of rm -rf
lxc-debian: replace isc-dhcp-server by isc-dhcp-client
lxc-ls: Scan cgroup mount points from fstype and not device
Allow short -h and -n options to lxc-ps
lxc-ubuntu: fix printing of default user
lxc-debian: specify isc-dhcp-server in package list
try to better handle out of date container caches.
link /dev/kmsg to /dev/console in the container
lxc-clone: fix the '--name' parameter
lxc-ls: Use readlink on $directory
lxc-busybox: Use relative mounts in lxc.mount.entry
busybox: for all lib dirs create mounts only if directories exist
...
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Thu, 4 Oct 2012 16:28:38 +0000 (12:28 -0400)]
fix "make rpm"
RPM doesn't like "-" in the version number and gives:
"error: line 24: Illegal char '-' in: Version: 0.8.0-rc2"
Other packages (bind-utils for example) have used . instead
of - as a seperator.
Fix determination of $oldroot from the config file. The old code had the '
in the wrong place and didn't account for whitespace between the = and
the rootfs.
Set $rootfs based on $oldroot instead of forcing it to be in
$lxc_path/$lxc_new/rootfs. This allows for btrfs snapshot to be made even if
$lxc_path isn't on the same filesystem. If $oldroot isn't a subvolume,
fall back to making a copy.
Christian Seiler [Mon, 24 Sep 2012 09:21:48 +0000 (11:21 +0200)]
lxc-ls: Scan cgroup mount points from fstype and not device
lxc-ls --active now scans mount points that have the 'cgroup' filesystem
type and not the 'cgroup' device name (which is ignored anyway and may be
anything).
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc-ls was failing in cases where $directory is a symlink to another
directory. Instead have $directory be generated from the output of
readlink -f "$lxc_path".
fix expansion of LXCPATH,LXCROOTFSMOUNT,LXCTEMPLATEDIR
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
I was getting raw nroff ".SH DESCRIPTION" in my man pages. This fixes
the synopsis cmd args so that doesn't happen. Added replaceable to a few
arguments.
This adds a SIGINIT and SIGPWR handler in the default inittab for
the Debian template. This allows lxc-shutdown/lxc-restart and their API calls
to properly shutdown or reboot the container.
Signed-off-by: Rex Tsai (蔡志展) <rex.tsai@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
lxc-destroy: Separately rm rootfs if it is a symlink
If rootfs is a symbolic link but not to a block device, then do a separate
rm of its contents. We have to do this because, out of cowardice, we call
rm with --one-filesystem.
Removing the '-o -h $rootdev' is ok, because if $rootdev is a symbolic
link to a block device (including lvm blockdev) then -b will still return
true.
Stéphane Graber [Fri, 31 Aug 2012 16:17:38 +0000 (09:17 -0700)]
Various fedora template improvements
1. don't add network segment to config
2. check for 'curl'
3. don't add $name to $path, it's already in there
4. don't add devpts to fstab, that's wrong.
5. $UTSNAME doesn't exist
6. set root pwd to root instead of rooter.
7. install fedora-release package.
8. add a console on /dev/console.
9. create empty fstab
10. don't mount devpts in rc.sysinit.
Stéphane Graber [Fri, 31 Aug 2012 15:58:56 +0000 (08:58 -0700)]
Make lxc-execute without rootfs work.
That means, don't try to pin a null rootfs, and don't try to mount /proc
since /var/lib/lxc/root/proc doesn't exist to be mounted onto.
The apparmor patches are not yet upstream, so this patch will not go
upstream by itself.
Serge Hallyn [Thu, 30 Aug 2012 16:02:24 +0000 (11:02 -0500)]
lxc-ubuntu-cloud: get full pathname to userdata file
When passing '--userdata somefile' to the ubuntu-cloud template, a user
may pass a relative pathname. The template uses the filename after
changing current directory, so store the full pathname for the userdata
file instead of a potential relative pathname.
Stéphane Graber [Wed, 29 Aug 2012 16:27:53 +0000 (09:27 -0700)]
Add lxc.aa_profile example to all templates
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Stéphane Graber [Wed, 29 Aug 2012 20:51:37 +0000 (13:51 -0700)]
Don't update the host-name field in dhclient.conf when not hardcoded.
On Debian and Ubuntu, the default host-name field in dhclient.conf is
set to either "<hostname>" or "gethostname()" both of which get replaced
by the machine's hostname at query time.
The sed call currently present in lxc-clone hardcodes the hostname in
dhclient.conf, causing dpkg to prompt on isc-dhcp updates.
Stéphane Graber [Tue, 28 Aug 2012 17:42:27 +0000 (13:42 -0400)]
Fix lxc-ubuntu and lxc-ubuntu-cloud to properly deal with /dev/shm.
Now that initscripts in Debian and Ubuntu has been updated to no longer
do silly things with /dev/shm and /run/shm on installation/update, the
check needs updating to detect any remaining broken case and fix it.
Serge Hallyn [Tue, 21 Aug 2012 15:05:19 +0000 (10:05 -0500)]
lxc_start: exit early if insufficient privs in daemon mode
Starting a container with insufficient privilege (correctly) fails
during lxc_init. However, if starting a daemonized container, we
daemonize before we get to that check. Therefore while the
container will fail to start, and the logfile will show this, the
'lxc-start -n x -d' command will return success. For ease of
scripting, do a check for the required privilege before we exit.
projects / mirror_lxc.git / log