Fabrice Fontaine [Sat, 11 Feb 2017 21:40:19 +0000 (22:40 +0100)]
Add HAVE_LIBCAP
Currently it is impossible to build lxc with --disable-capabilities if
the user has libcap-dev installed on his system as:
- calls to cap_xxx functions are not protected by HAVE_LIBCAP defines.
The whole file is only protected by HAVE_SYS_CAPABILITY_H.
- AC_CHECK_LIB default action-if-found is overriden by [true] so
HAVE_LIBCAP is never written to config.h
This patch replaces all HAVE_SYS_CAPABILITY_H checks by HAVE_LIBCAP
checks (fix #1361)
Adam Borowski [Sun, 12 Feb 2017 06:26:54 +0000 (07:26 +0100)]
seccomp: allow x32 guests on amd64 hosts.
Without this patch, x32 guests (and no others) worked "natively" with x32
host lxc, but not on regular amd64 hosts. That was especially problematic
as a number of ioctls such as those needed by netfilter don't work in such
scenarios, thus you want to run amd64 on the host.
With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts.
Despite x32 being little used, there's no reason to deny it by default:
the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on
Debian) boot with syscall.x32=y. If they've done so, it is a reasonable
assumption they want x32 guests.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Carsten Brandt [Wed, 8 Feb 2017 13:46:59 +0000 (14:46 +0100)]
Make lxc-net return non-zero on failure
I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:
# service lxc-net status
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
Main PID: 529 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/lxc-net.service
Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.
Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.
Thomas Jarosch [Thu, 2 Feb 2017 11:48:35 +0000 (12:48 +0100)]
lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
Prevent an endless loop while executing lxc-attach in the background:
The kernel might fire SIGTTOU while an ioctl() in tcsetattr()
is executed. When the ioctl() is resumed and retries,
the signal handler interrupts it again.
We can't configure the TTY to stop sending
the signals in the first place since that
is a modification/write to the TTY already.
Still we clear the TOSTOP flag to prevent further signals.
Command to reproduce the hang:
----------------------------
cat > lxc_hang.sh << EOF
/usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true
EOF
sh lxc_hang.sh # hangs
----------------------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reto Gantenbein [Tue, 7 Feb 2017 05:59:15 +0000 (06:59 +0100)]
Change Fedora mirror downloads to https by default, rsync optional
This mainly affects the download of the bootstrap image when
running on a non-Fedora host and the initial download of the
repo and release RPMs. The container rootfs creation will then
be verified by dnf against the GPG signatures in the repos RPM.
conf.c: In function 'lxc_assign_network':
conf.c:3096:25: error: '%lu' directive output may be truncated writing between 1 and 20 bytes into a region of size 19 [-Werror=format-truncation=]
snprintf(pidstr, 19, "%lu", (unsigned long) pid);
^~~
conf.c:3096:24: note: using the range [1, 18446744073709551615] for directive argument
snprintf(pidstr, 19, "%lu", (unsigned long) pid);
^~~~~
In file included from /usr/include/stdio.h:938:0,
from conf.c:35:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 2 and 21 bytes into a destination of size 19
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
confile.c: In function 'network_new_hwaddrs':
confile.c:2889:38: error: '%02x' directive output may be truncated writing between 2 and 8 bytes into a region of size 6 [-Werror=format-truncation=]
snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
^~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
^~~~~~~~~~~~~~~~~~~~~~~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
In file included from /usr/include/stdio.h:938:0,
from confile.c:24:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 18 and 36 bytes into a destination of size 18
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Not sure whether the latter is really a problem. We might need an additional
fix later on.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Colin Watson [Thu, 26 Jan 2017 14:32:08 +0000 (14:32 +0000)]
Make lxc-start-ephemeral Python 3.2-compatible
On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as
follows:
Traceback (most recent call last):
File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user
File "/usr/lib/python3.2/subprocess.py", line 515, in check_output
File "/usr/lib/python3.2/subprocess.py", line 732, in __init__
LookupError: unknown encoding: ANSI_X3.4-1968
This is because `universal_newlines=True` causes `subprocess` to use
`io.TextIOWrapper`, and in versions of Python earlier than 3.3 that
fetched the preferred encoding using `locale.getpreferredencoding()`
rather than `locale.getpreferredencoding(False)`, thereby changing the
locale and causing codecs to be reloaded. However, `attach_as_user`
runs inside the container and thus can't rely on having access to the
same Python standard library on disk.
The workaround is to decode by hand instead, avoiding the temporary
change of locale.
Use AC_HEADER_MAJOR to detect major()/minor()/makedev()
Before the change build failed on Gentoo as:
bdev/lxclvm.c: In function 'lvm_detect':
bdev/lxclvm.c:140:4: error: implicit declaration of function 'major' [-Werror=implicit-function-declaration]
major(statbuf.st_rdev), minor(statbuf.st_rdev));
^~~~~
bdev/lxclvm.c:140:28: error: implicit declaration of function 'minor' [-Werror=implicit-function-declaration]
major(statbuf.st_rdev), minor(statbuf.st_rdev));
^~~~~
glibc plans to remove <sys/sysmacros.h> from glibc's <sys/types.h>:
https://sourceware.org/ml/libc-alpha/2015-11/msg00253.html
Gentoo already applied glibc patch to experimental glibc-2.24
to start preparingfor the change.
Autoconf has AC_HEADER_MAJOR to find out which header defines
reqiured macros:
https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Headers.html
This change should also increase portability across other libcs.
Bug: https://bugs.gentoo.org/604360 Signed-off-by: Sergei Trofimovich <siarheit@google.com>
We do not check here whether the container is defined, because we support
volatile containers. Which means the container does not need to be created for
it to be started. You can just pass a configuration file as argument and start
the container right away.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc_execute() and lxc-execute where broken when a user tried to switch to a
non-root uid/gid. This prevented necessary setup operations like mounting the
rootfs which require root in the user namespace. This commit separates
switching to root in the user namespace from switching to the requested uid/gid
by lxc_execute().
This should be safe: Once we switched to root in the user namespace via
setuid() and then switch to a non-root uid/gid in the user namespace for
lxc_execute() via setuid() we cannot regain root privileges again. So we can
only make us safer (Unless I forget about some very intricate user namespace
nonsense; which is not as unlikely as I try to make it sound.).
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit adds lxc_switch_uid_gid() which allows to switch the uid and gid of
a process via setuid() and setgid() and lxc_setgroups() which allows to set
groups via setgroups(). The main advantage is that they nicely log the switches
they perform.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
On some Android systems the lxc folders where containers are stored might be
read-only and so checking for O_RDWR, will effectively make the tools useless
on these systems, so let's dumb the check down to O_RDONLY.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reto Gantenbein [Sat, 31 Dec 2016 00:43:10 +0000 (01:43 +0100)]
Complete rework of lxc-fedora template
Heavily refactored version of the Fedora container creation template.
Removed compatibility to unsupported Fedora releases including sysvinit
and yum stuff. Added new commandline arguments found in other templates:
--mirror : To set custom HTTP(s) Fedora download mirror
--packages : List of custom packages to install into a new container
--debug : Run with shell script with 'set -x'
There are also some new environment variables which can be used to
customize the template behaviour. See --help output.
Supports Fedora >=24. By default Fedora 25 will be installed except on
Fedora hosts, where the host release is taken. To simplify the code
path (or at least not make it more complex) all non-Fedora hosts will
now use the LiveOS-image based bootstrap environment even when they
would natively support rpm, yum or even dnf (e.g. Gentoo, CentOS).
Mainly runs systemd services by default (journald, networkd, resolved
logind).
This mainly affects Trusty. The 3.13 kernel has a broken overlay module which
does not handle symlinks correctly. This is a problem for containers that use
an overlay based rootfs since safe_mount() uses /proc/<pid>/fd/<fd-number> in
its calls to mount().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fabrice Fontaine [Sun, 18 Dec 2016 20:39:24 +0000 (21:39 +0100)]
Add --enable-gnutls option
Previously HAVE_LIBGNUTLS was never set in config.h even if gnutls was
detected as AC_CHECK_LIB default action-if-found was overriden by
enable_gnutls=yes
This patch adds an --enable-gnutls option and will call AC_CHECK_LIB
with the default action to write HAVE_LIBGNUTLS in config.h
fli [Tue, 6 Dec 2016 08:59:52 +0000 (00:59 -0800)]
confile: support the network link string pattern matching
Enable lxc network config support the following type and link:
lxc.network.type = phys
lxc.network.link = eth+
Here, the suffix '+' will trigger a string pattern matching
and when lxc find any network interfaces name prefixed with
"eth" such as "eth0", "eth1", "ethxxxx" and so on, it will
try to move them into the container's namespace; If it didn't
find any matching, it would do nothing for this configure
line.
Aside from adding a 42.2 option, $DISTRO comparisons for Leap have been
changed [ exp ] => [[ exp ]] to accomodate pattern matching for future
releases.
Signed-off-by: Terzeus S. Dominguez <tsdmgz@gmail.com>
FooDeas [Thu, 8 Dec 2016 13:03:10 +0000 (14:03 +0100)]
templates: fix getty service startup
Commit bf39edb39ecaea25801d716aebef798885277992 broke the handling of the getty service file with an '@' character in filename. So the startup condition was not fixed.
Because the parameter was quoted with the causal commit, the escaping has to be removed.
Signed-off-by: Andreas Eberlein foodeas@aeberlein.de