dlezcano [Thu, 12 Feb 2009 14:47:10 +0000 (14:47 +0000)]
build a set of flags for the different enabled subsystems
From: Daniel Lezcano <dlezcano@fr.ibm.com>
When we want to check if a subsystem is enabled, we look at the
presence of a file/directory in the configuration tree files. That
works until we chroot into the rootfs. Some subsystem should be
preferably setup after the chrootfs, making the code simpler and
easier to read. So before setup the different subsystem, I build a
flags set and reuse it later to check if the subsystem is enabled or
not.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 5 Feb 2009 12:03:47 +0000 (12:03 +0000)]
handle interruption/failure of lxc-debian more gracefully
From: Matt Helsley <matthltc@us.ibm.com>
If lxc-debian fails or is interrupted during debootstrap then the next
invocation of lxc-debian breaks because it only checks for the existence
of the directory. This forces the user to remove the cache by hand to
retry the create step.
Let's allow the user to re-run lxc-debian to resume/retry. Store the
cache in a partial-$ARCH directory until debootstrap succeeds. Then move
the valid cache to its final destination.
Signed-off-by: Matt Helsley <matthltc@us.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Mon, 2 Feb 2009 14:50:00 +0000 (14:50 +0000)]
Add signalfd function definition
From: Dietmar Maurer <dietmar@proxmox.com>
The signalfd function prototype and the signalfd header file is not
defined in the debian Lenny. We want to use this debian version with a
newer kernel.
This patch gives the signalfd function prototype, because the function is
available in the glibc-2.7 which is the version coming with debian Lenny.
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 29 Jan 2009 10:50:28 +0000 (10:50 +0000)]
Complete use of autoconf prefix in lxc-debian
From: Matt Helsley <matthltc@us.ibm.com>
The lxc-debian script does not consistently address the lxc lock as
@LOCALSTATEDIR@/lock/subsys/lxc. Make consistent use of the autotools
substitution to completely enable configure --prefixes.
I also added a comment explaining why some of the paths didn't need
autoconf substitutions for anyone who wants to understand the script.
Also, to separate it from the container contents proper, I moved the
CACHE variable initialization above the container-internal path
variables.
Signed-off-by: Matt Helsley <matthltc@us.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Mon, 26 Jan 2009 19:43:46 +0000 (19:43 +0000)]
Fixed bad variable type
From: Daniel Lezcano <daniel.lezcano@free.fr>
Fixed the type of the opt variable. On the powerpc architecture, that leads
to an infinite loop in the getopt inspection because getopt returns 255
instead of -1 as expected. The opt variable should be an int and not a char.
Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Sun, 25 Jan 2009 23:29:24 +0000 (23:29 +0000)]
Check the kernel feature
From: Daniel Lezcano <daniel.lezcano@free.fr>
The virtual devices are automatically destroyed when the network namespace
dies for the kernel version >= 2.6.29. Until this version the network devices
have to be destroyed by lxc. This modification checks the version of the
kernel to make lxc to destroy the network devices or not.
Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Mon, 5 Jan 2009 19:19:46 +0000 (19:19 +0000)]
Create the localstatedir when installing the commands
From: Daniel Lezcano <dlezcano@fr.ibm.com>
For some distros (eg. opensuse), when installing with "make install", the
localstatedir is not created. This modification makes this directory to be
created at the install time.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Mon, 5 Jan 2009 18:36:23 +0000 (18:36 +0000)]
Add freezer compatibility for older interface
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Different interface exists for the freezer, "RUNNING" or "THAWED" should
be written to the freezer file, so in case "THAWED", we fall back to
"RUNNING". That allows to support older freezer kernel interface for 2.6.27.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Tue, 9 Dec 2008 09:43:15 +0000 (09:43 +0000)]
Enqueue cgroup value in the right order
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Use the list_add_tail function to add the elements at the end of the list
so when the cgroup elements are setup, they will be stored in the file
in the right order.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Fri, 28 Nov 2008 15:36:51 +0000 (15:36 +0000)]
Added a script directory for containers creation helper scripts
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Added a directory called 'scripts' where is stored two helpers.
The first one allows to create a mini debian container and the
second one to create a sshd container.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 27 Nov 2008 22:09:56 +0000 (22:09 +0000)]
Added lxc-debian command
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Added the script lxc-debian to the package.
This command allows to debootstrap a debian minimal and configure a container
to run it. Several debian can be installed by invoking the command with a
different container name.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Wed, 26 Nov 2008 17:34:52 +0000 (17:34 +0000)]
Add the more simple utility to unshare the namespaces.
From: Daniel Lezcano <dlezcano@fr.ibm.com>
lt-lxc-unshare <options> [command]
Options are:
-f : fork and unshare (automatic when unsharing the pids)
-m : unshare the mount points
-p : unshare the pids
-h : unshare the utsname
-i : unshare the sysv ipc
-n : unshare the network
-u <id> : unshare the users and set a new id
if -f or -p is specified, <command> is mandatory)
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Tue, 25 Nov 2008 17:01:56 +0000 (17:01 +0000)]
Add read permission checking for the container
From: Daniel Lezcano <dlezcano@fr.ibm.com>
When an user tries to look at the pids or network information belonging
to a container not owned by the user. The command silently fails, I changed
that to check the read permission, display an error and exit.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Tue, 18 Nov 2008 09:40:05 +0000 (09:40 +0000)]
List the available containers and the processes belonging to such container.
From: Daniel Lezcano <dlezcano@fr.ibm.com>
This modification change the lxc-ps command and adds the lxc-ls command.
The lxc-ps command takes the container name argument and shows the processes
belonging to the specified container. The usual ps argument can be passed to
the lxc-ps to change the output.
Examples:
lxc-ps -n foo --forest
lxc-ps -n foo -o pid=
The lxc-ls command list the container name available on the system. This is
useful to retrieve information for each container.
Examples:
for i in $(lxc-ls); do
lxc-info -n $i
lxc-ps -n $i --forest
done
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Mon, 17 Nov 2008 16:01:34 +0000 (16:01 +0000)]
Add return error status in the different functions
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Add the most known error to the different API to be followed up by the
caller, so we can later show a better message to the user when something
goes wrong. The error catching is coarse grain right now but will be improved,
step by step.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Fri, 14 Nov 2008 16:16:35 +0000 (16:16 +0000)]
Change at compilation time the destruction of the network devices
From: Daniel Lezcano <dlezcano@fr.ibm.com>
The future kernel version will automatically autodestroy the network devices
when the network namespace exits. This is not the case for the current version.
In order to handle the both cases, I added a configuration option to disable
the network destruction when the container exits:
--disable-network-destroy
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Fri, 14 Nov 2008 15:42:59 +0000 (15:42 +0000)]
Fix cgroup configuration format
From: Daniel Lezcano <dlezcano@fr.ibm.com>
This modification change the configuration format. Instead of creating
a 'cgroup' directory with a file per controller, a single file is used
to store the different value for the control groups. That allows to assign
several values to the same controller like "devices.allow" and keep the same
assignation order as defined in the configuration.
In order to keep compatibility, when the old cgroup format is detected, it
is automatically converted to the new format.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 13 Nov 2008 16:53:23 +0000 (16:53 +0000)]
Add setpcap capabilty to be able to drop the sys_boot capabilty.
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Previously, we dropped the CAP_SYS_BOOT capabilty. Unfortunatly if we are
non root user, we are not able to do that. So I had the CAP_SETPCAP to
lxc-execute and lxc-start command line to remove this capabilty.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 13 Nov 2008 15:21:55 +0000 (15:21 +0000)]
Replace lxc_execute by an intermediate lxc_init
From: Daniel Lezcano <dlezcano@fr.ibm.com>
The main difference between lxc_start and lxc_execute is the latter creates
an intermediate process to wait for all the childs. That allows to support
daemons or orphan process group for the pid namespace.
Having such difference makes the code to be duplicate between the two
functions. So instead of doing this, I create an intermediate <init> program
which is in charge to launch the specified command. This command is the
lxc-init program taking different options:
--mount-procfs : mount the proc filesystem before exec'ing the command
--mount-sysfs : mount the sys filesystem before exec'ing the command
A double dash indicates the end of the options of lxc-init and the beginning
of the command to be launched.
To summarize:
* lxc_execute function is no more.
* lxc-execute command uses the lxc_start function and launch the specified
command via lxc-init
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>