Qiang Huang [Sat, 18 Jan 2014 06:59:58 +0000 (14:59 +0800)]
lxc-start: fix the container leak when daemonize
When start container with daemon model, we'll have a new daemon
process in lxcapi_start, whose c->numthreads is 2, inherited
from his father. Even his father return to main(), the
lxc_container_put won't affect son's numthreads.
So when daemon stops, he should return to main and do
lxc_container_put again, rather than exit and leave the
container alone.
Stéphane Graber [Thu, 16 Jan 2014 19:13:14 +0000 (14:13 -0500)]
init: Add upstart jobs and some more changes (v3)
This adds the 3 upstart jobs that we've had in Ubuntu for a while:
- lxc.conf: Main upstart job, triggers lxc-net.conf based on config
- lxc-instance.conf: Triggered by lxc.conf for each auto-started container
- lxc-net.conf: Triggered by lxc.conf, sets up lxcbr0, NAT, mangling, ...
In addition, there are two extra config files in /etc/default:
- lxc: Allows setting some values like http proxying, disabling autostart, ...
- lxc-net: Network configuration for the lxcbr0 bridge
This change also disables the sysv script for all distros but Oracle as
the current script won't work on either Ubuntu nor Debian and I suspect
quite a few more distros, so it's not nearly as distro-agnostic as we
thought.
For Debian, only install the upstart jobs and systemd unit.
For Ubuntu, only install the upstart jobs.
This change also moves all the init related stuff to config/init/
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 16 Jan 2014 20:44:48 +0000 (14:44 -0600)]
cgmanager: fix obvious braindeadnesses
1. don't return bools for int-return functions
2. copy the filename to controller before using it
3. use full filename not just the key to pass to cgmanager
Stéphane Graber [Thu, 16 Jan 2014 18:37:32 +0000 (13:37 -0500)]
python3: Don't fail in list_containers on ValueError
ValueError typically means that the user doesn't have permissions to
access the directory. Raising an exception there isn't consistent with
other error behaviour of list_containers which simple returns an empty
tuple.
So simply catch the exception and ignore it. An error message is already
printed by LXC itself anyway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 16 Jan 2014 14:41:44 +0000 (08:41 -0600)]
shut up freezer_state
Not being able to get freezer state is perfectly valid - if the
container does not exist. The old version of freezer_state
only reported an error on actually reading the cgroup file,
but not on not finding a cgroup file. Leave it to the caller
to report the error if it is important, since we don't actually
know any useful info here anyway.
Serge Hallyn [Wed, 15 Jan 2014 19:40:53 +0000 (13:40 -0600)]
stop cmd callback: unfreeze by path only
in particular, regular unfreeze uses the cmd api to request the cgroup
of the container. If we are already in the lxc-start monitor, we can't
use the cmd api.
(I knew when I started this would be a problem but then as it didn't
reliably crash, I forgot to handle it)
Serge Hallyn [Tue, 14 Jan 2014 22:41:36 +0000 (16:41 -0600)]
Initial support for cgmanager
This patch splits out most of the cgroupfs-specific code, so that
cgroup-manager versions can be plugged in. The case I did
not handle is cgroup_enter at lxc_attach. I'm hoping that case can
be greatly simplified, but will worry about it after fleshing out the
cgroup manager handlers.
This also simplify the freezer functions.
This seems to not regress my common tests when running without
cgmanager, but I'd like to do a bit more testing before pushing.
However I was hoping to get some more eyes on this so am sending it
out now.
Chris Glass [Wed, 15 Jan 2014 15:37:46 +0000 (16:37 +0100)]
Fix small mistake with squid-deb-proxy hook
I unfortunately realized that I did not push the latest version of the
file. This fixes an issue in the case where we want to create the proxy
file in the container (not nested).
Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Qiang Huang [Wed, 15 Jan 2014 02:45:18 +0000 (10:45 +0800)]
lxccontainer.c: check lxc_conf before referance haltsignal
If we start container with rcfile(see comments in lxc_start.c), it
is possible that we have no config file in /usr/local/var/lib/lxc.
So when we try lxc_stop, lxc_container_new will not load any config
so we'll get c->lxc_conf = NULL.
In that case, we'll get Segmentation fault in lxcapi_shutdown, a
simple check would fix this.
Stéphane Graber [Tue, 14 Jan 2014 23:25:44 +0000 (18:25 -0500)]
Fix return value of userns_exec_1
Instead of always returning -1 and call SYSERROR when the child returns
non-zero. Have userns_exec_1 always return the return value from the
function it's calling and let the caller do the error handling (as is
already done by its only caller).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 22:24:14 +0000 (17:24 -0500)]
lxc-archlinux: Cleanup fstab
It's been brought to my attention that the read-only mount of /proc/sys
is causing problems to archlinux users, so instead just have LXC mount
proc and sysfs normally (read-write).
Reported-by: John Lane <john@lane.uk.net> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Modify lxc-fedora and lxc-centos for multiple issues...
This is a reissue of two previous patches along with some additional
changes for hardening the root password process based on discussions
on-list.
--
This patch modifies the lxc-fedora and lxc-centos templates for 3 things.
1) Extensively modifies root password generation, storage, and management
based on discussions on the devel list.
Root passwords are hardened and have advanced configurability.
A static password may be provided.
A password based on a template may be generated, including ${RANDOM}.
A password may be generated through mktmp using a template with X's.
Root passwords default to expired, initially.
Passwords may optionally be echoed to stdout at container creation. (no)
Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes)
Users may be optionally forced to change the password at creation time. (no)
Default is to generate a pattern based password and store, no force change.
All of this may be overridden by environment variables through
conditional assignment.
2) Random static hardware addresses are generated for all configured
interfaces.
3) Add code to create sysv init style scripts to intercept shutdown and
reboot to prevent init restart and hang for CentOS and legacy Fedora
systems on shutdown, reboot, init 0, and init 6. This solves a variety
of hang conditions but only affects newly created containers. Does
not have any impact on systemd based containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Serge Hallyn [Mon, 13 Jan 2014 17:08:48 +0000 (11:08 -0600)]
api change: default container->daemonize to true
Pretty much the only case where we do NOT want to daemonize
a container start is lxc-start. So make c->daemonize true
by default, and have lxc-start set it to false.
If there are existing API users who rely on daemonize by
default, then they will be broken by this. It seems we should
do this before beta1 if we're going to do it.
Chris Glass [Thu, 9 Jan 2014 16:40:12 +0000 (16:40 +0000)]
Make ubuntu templates squid-deb-proxy-client aware
This makes the ubuntu and ubuntu-cloud templates automatically aware of apt
proxy settings when the LXC host has "squid-deb-proxy-client" installed. This
makes installations *much* faster when a suitable squid-deb-proxy is
found on the network (or installed on the host).
Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 20:02:42 +0000 (15:02 -0500)]
download: Improve cache handling
This adds a new --force-cache parameter which will force use of the
cache even for expired images.
An expired image is now only flushed from the cache once a new one is
successfuly downloaded (to avoid destroying the local cache when the
host doesn't have internet connectivity).
The ID of the build in cache is also tracked so that we don't
re-download something we already have (should only happen if we don't
have a new build published by the time the previous one expires).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 19:12:33 +0000 (14:12 -0500)]
download: Don't use an hardcoded exclude list
Instead of hardcoding --exclude=./dev/*, use a new metadata file
"excludes" which lists all the paths or patterns to exclude during
extraction (one per line).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Mon, 13 Jan 2014 21:26:49 +0000 (15:26 -0600)]
cgroup: move all some functions into cgroup.h
Some functions which wanted to know about cgroup paths were located
in other files. Move them into cgroup.c, so that all knowledge of
the cgroup backend can be colocated.
Serge Hallyn [Mon, 13 Jan 2014 16:02:29 +0000 (10:02 -0600)]
This change introduce mac address templating.
By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each
"x" will be replaced by a random value. If less significant bit of
first byte is "templated", it will be set to 0.
This change introduce also a common randinit() function that could be
used to initialize random generator.
Serge Hallyn [Mon, 13 Jan 2014 02:45:00 +0000 (20:45 -0600)]
introduce lxc-unpriv test
It simply creates a test user and tries to create and start
a container as that user. Tries to lxc-attach to that
container to test network connectivity.
Dwight Engen [Thu, 9 Jan 2014 20:36:13 +0000 (15:36 -0500)]
ensure all config items are duplicated on clone/write_config
Since previously I had found a config item that wasn't being propagated
by lxc-clone, I went through all the config items and made sure that:
a) Each item is documented in lxc.conf
b) Each item is written out by write_config
The only one that isn't is lxc.include, which by its nature only pulls
in other config item types.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 06:14:26 +0000 (00:14 -0600)]
cgroup: recursively delete cgroups when asked
Currently when a container is shut down, lxc walks the set of all
cgroup paths it created, in reverse order, and tries to remove them.
This doesn't suffice if the container has also created new cgroups.
It'd be impolite to recursively remove all the cgroup paths we created,
since this can include '/lxc' and thereunder all other containers
started since.
This patch changes container shutdown to only delete the container's own
path, but do so recursively. Note that if we fail during startup,
the container won't have created any cgroup paths so it the old
way works fine.
Stéphane Graber [Fri, 10 Jan 2014 22:28:07 +0000 (17:28 -0500)]
download: Initial template
This adds a new template called "download". It's a fairly simple
template with a minimal set of dependency which will grab any pre-built
image available on https://images.linuxcontainers.org
Note that the serverside is still work in progress (missing SSL support).
Access is done over https by default with a warning being emitted if
fallback to http was required (may be needed for testing, when behind
proxy and with private servers). All index files and tarballs are
gpg-signed with the default pubkeyid contained in the template itself.
The main benefit of this template is to be entirely
distribution-agnostic, any template that can be integrated with the
server build infrastructure will then work on any LXC machine when using
the download template. This template is also compatible with user
namespaces and will hopefully help widden the number of distros that may
work in unprivileged LXC.
This commit also bundles a small change to the template configs to have
the ubuntu template (used by the download template) to work with
unprivileged LXC.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 03:48:30 +0000 (21:48 -0600)]
Fix bug in preserve_ns
If /proc/self/ns does not exist, then preserve_ns was failing to
initialize the saved_ns[i] to -1. This caused attach_ns() to try
and attach, and of course fail.
Initialize the saved ns values before returning an error.
The return values of preserve_ns and attach_ns were also being
ignored. Honor them.
Stéphane Graber [Thu, 9 Jan 2014 22:31:52 +0000 (17:31 -0500)]
Re-organize API for global lxc.conf config
Instead of having one function for each possible key in lxc.conf which
doesn't really scale and requires an API update for every new key,
switch to a generic lxc_get_global_config_item() function which takes a
key name as argument.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
projects / mirror_lxc.git / log