This patch is so far just a proof of concept. The libseccomp api will be
changing soon so it probably wouldn't be worth pulling this until it is
updated for the new API.
This patch introduces support for seccomp to lxc. Seccomp lets a program
restrict its own (and its children's) future access to system calls. It
uses a simple whitelist system call policy file. It would probably be
better to switch to something more symbolic (i.e specifying 'open' rather
than the syscall #, especially given container arch flexibility).
I just wanted to get this out there as a first step. You can also get
source for an ubuntu package based on this patch at
https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-seccomp
Jan Kiszka [Thu, 9 Aug 2012 22:54:48 +0000 (17:54 -0500)]
lxc-wait: Add timeout option
Allow to specify a timeout for waiting on state changes via lxc-wait.
Helpful for scripts that need to handle errors or excessive delays in
state changing procedures.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Dwight Engen [Wed, 31 Oct 2012 16:08:13 +0000 (17:08 +0100)]
Fix lxc-netstat -- argument processing
Commit 21e487f2 introduced the use of getopt, but getopt will fail when
it sees arguments meant for netstat that are not in [short|long]options.
There should not be any ambiguity about arguments with the same letter:
those to the left of the -- are destined for lxc-netstat and those to
the right for the real netstat, which the original code handles by
shifting out all arguments it recognizes before the -- is hit.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Thu, 25 Oct 2012 20:21:53 +0000 (16:21 -0400)]
Fix lxc-ps -- argument processing
lxc-ps is supposed to pass arguments after the -- on to ps. The problem is
that i is expanded once from $@ and the loop will iterate over all the
arguments that were in $@ at the time of expansion. Inside the loop, there
are shifts (in the name case for example) that are trying to remove more
than a single argument. This changes fixes that and makes lxc-ps work as
documented.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Wed, 31 Oct 2012 16:08:13 +0000 (17:08 +0100)]
Add %{dist} tag to differentiate RPM distributions and releases
Note that an additional Release field is not necessary for the devel package
as it will follow the primary Release field. For more information on the dist
tag, see http://fedoraproject.org/wiki/Packaging:DistTag
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Wed, 31 Oct 2012 15:39:50 +0000 (16:39 +0100)]
Merge branch 'upstream-bugfix' of https://github.com/lxc/lxc
* 'upstream-bugfix' of https://github.com/lxc/lxc: (47 commits)
replace HOOK define with proper code.
Remove lxc-start-ephemeral from configure.ac
revert devtmpfs in ubuntu templates
lxc-ubuntu{-cloud}: Fix missing "fi" in new devtmpfs code
fix "make rpm"
display warning when yum missing in fedora template
templates: mount devtmpfs in ubuntu containers
handle clone of btrfs snapshots
if the rootfs is a btrfs subvolume, delete it instead of rm -rf
lxc-debian: replace isc-dhcp-server by isc-dhcp-client
lxc-ls: Scan cgroup mount points from fstype and not device
Allow short -h and -n options to lxc-ps
lxc-ubuntu: fix printing of default user
lxc-debian: specify isc-dhcp-server in package list
try to better handle out of date container caches.
link /dev/kmsg to /dev/console in the container
lxc-clone: fix the '--name' parameter
lxc-ls: Use readlink on $directory
lxc-busybox: Use relative mounts in lxc.mount.entry
busybox: for all lib dirs create mounts only if directories exist
...
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Dwight Engen [Thu, 4 Oct 2012 16:28:38 +0000 (12:28 -0400)]
fix "make rpm"
RPM doesn't like "-" in the version number and gives:
"error: line 24: Illegal char '-' in: Version: 0.8.0-rc2"
Other packages (bind-utils for example) have used . instead
of - as a seperator.
Fix determination of $oldroot from the config file. The old code had the '
in the wrong place and didn't account for whitespace between the = and
the rootfs.
Set $rootfs based on $oldroot instead of forcing it to be in
$lxc_path/$lxc_new/rootfs. This allows for btrfs snapshot to be made even if
$lxc_path isn't on the same filesystem. If $oldroot isn't a subvolume,
fall back to making a copy.
Christian Seiler [Mon, 24 Sep 2012 09:21:48 +0000 (11:21 +0200)]
lxc-ls: Scan cgroup mount points from fstype and not device
lxc-ls --active now scans mount points that have the 'cgroup' filesystem
type and not the 'cgroup' device name (which is ignored anyway and may be
anything).
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc-ls was failing in cases where $directory is a symlink to another
directory. Instead have $directory be generated from the output of
readlink -f "$lxc_path".
fix expansion of LXCPATH,LXCROOTFSMOUNT,LXCTEMPLATEDIR
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
I was getting raw nroff ".SH DESCRIPTION" in my man pages. This fixes
the synopsis cmd args so that doesn't happen. Added replaceable to a few
arguments.
This adds a SIGINIT and SIGPWR handler in the default inittab for
the Debian template. This allows lxc-shutdown/lxc-restart and their API calls
to properly shutdown or reboot the container.
Signed-off-by: Rex Tsai (蔡志展) <rex.tsai@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
lxc-destroy: Separately rm rootfs if it is a symlink
If rootfs is a symbolic link but not to a block device, then do a separate
rm of its contents. We have to do this because, out of cowardice, we call
rm with --one-filesystem.
Removing the '-o -h $rootdev' is ok, because if $rootdev is a symbolic
link to a block device (including lvm blockdev) then -b will still return
true.
Stéphane Graber [Fri, 31 Aug 2012 16:17:38 +0000 (09:17 -0700)]
Various fedora template improvements
1. don't add network segment to config
2. check for 'curl'
3. don't add $name to $path, it's already in there
4. don't add devpts to fstab, that's wrong.
5. $UTSNAME doesn't exist
6. set root pwd to root instead of rooter.
7. install fedora-release package.
8. add a console on /dev/console.
9. create empty fstab
10. don't mount devpts in rc.sysinit.
Stéphane Graber [Fri, 31 Aug 2012 15:58:56 +0000 (08:58 -0700)]
Make lxc-execute without rootfs work.
That means, don't try to pin a null rootfs, and don't try to mount /proc
since /var/lib/lxc/root/proc doesn't exist to be mounted onto.
The apparmor patches are not yet upstream, so this patch will not go
upstream by itself.
Serge Hallyn [Thu, 30 Aug 2012 16:02:24 +0000 (11:02 -0500)]
lxc-ubuntu-cloud: get full pathname to userdata file
When passing '--userdata somefile' to the ubuntu-cloud template, a user
may pass a relative pathname. The template uses the filename after
changing current directory, so store the full pathname for the userdata
file instead of a potential relative pathname.
Stéphane Graber [Wed, 29 Aug 2012 16:27:53 +0000 (09:27 -0700)]
Add lxc.aa_profile example to all templates
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Stéphane Graber [Wed, 29 Aug 2012 20:51:37 +0000 (13:51 -0700)]
Don't update the host-name field in dhclient.conf when not hardcoded.
On Debian and Ubuntu, the default host-name field in dhclient.conf is
set to either "<hostname>" or "gethostname()" both of which get replaced
by the machine's hostname at query time.
The sed call currently present in lxc-clone hardcodes the hostname in
dhclient.conf, causing dpkg to prompt on isc-dhcp updates.
Stéphane Graber [Tue, 28 Aug 2012 17:42:27 +0000 (13:42 -0400)]
Fix lxc-ubuntu and lxc-ubuntu-cloud to properly deal with /dev/shm.
Now that initscripts in Debian and Ubuntu has been updated to no longer
do silly things with /dev/shm and /run/shm on installation/update, the
check needs updating to detect any remaining broken case and fix it.
Serge Hallyn [Tue, 21 Aug 2012 15:05:19 +0000 (10:05 -0500)]
lxc_start: exit early if insufficient privs in daemon mode
Starting a container with insufficient privilege (correctly) fails
during lxc_init. However, if starting a daemonized container, we
daemonize before we get to that check. Therefore while the
container will fail to start, and the logfile will show this, the
'lxc-start -n x -d' command will return success. For ease of
scripting, do a check for the required privilege before we exit.
Serge Hallyn [Fri, 17 Aug 2012 02:11:50 +0000 (21:11 -0500)]
Cleanup partial container if -h was passed to template
If user calls 'lxc-create -t ubuntu -- -h' (as opposed to
'lxc-create -t ubuntu -h') then the ubuntu template will print its
help then exit 0. Then lxc-create does not cleanup. So detect this
in lxc-create.
The 'lxc.mount =' entry can have more than one space, or tabs, before the =.
We only need to disambiguate from 'lxc.mount.entry'. So just check for a
space or tab after mount.
CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
actually supports. If the kernel supports fewer capabilities, then a
cap_get_flag for an unsupported capability returns -EINVAL.
Recognize that, and don't fail when initializing capabilities when this
happens, rather accept that we've reached the last capability.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
- Update list of extra packages for debootstrap to only include vim
and ssh. The others were only relevant when we were still using the
minbase variant. (LP: #996839)
- Drop any hardcoded Ubuntu version check and replace by feature
checks instead.
- Format lxc-ubuntu to consistently use 4-spaces indent instead of
mixed spaces/tabs.
- Update default /etc/network/interfaces to include the header.
- Update default /etc/hosts to match that of a regular Ubuntu system.
- Drop support for end-of-life releases (gutsy on sparc).
- Make sure /etc/resolv.conf is valid before running any apt command.
- Update template help message for release and arch parameters.
- Switch default Ubuntu version from lucid to precise.
When installing a non-native architecture, the template
installs a bunch of packages of the native architecture to work around
existing limitations of qemu-user-static, mostly related to netlink.
The current code would install upstart of the host architecture but
force the amd64 version of the others. This was just a mistake done
while testing/developping the code. Fixing now to always install
the native architecture version of all of them.
lxc-init used to be under /usr/lib/lxc. Now it is under
/usr/lib/<multiarch>/lxc, but old containers will still have it under
/usr/lib/lxc. So search for a valid lxc-init to run.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ubuntu-cloud: extract the right filenames from tarball
Signed-off-by: Ben Howard <ben.howard@canonical.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Description: Fix handling of user-data in ubuntu-cloud template
Signed-off-by: Ben Howard <ben.howard@canonical.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
templates: use relative paths when creating containers
At the same time, allow lxc.mount.entry to specify an absolute target
path relative to /var/lib/lxc/CN/rootfs, even if rootfs is a blockdev.
Otherwise all such entries are ignored for blockdev-backed containers.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This patch introduces support for 4 hooks. We'd like to have 6 in
all to mirror the openvz ones (thanks to Stéphane for this info):
pre-start: in the host namespace before container mounting happens
mount: after container mounting (as per config and /var/lib/lxc/container/fstab)
but before pivot_root
start: immediately before exec'ing init
stop: in container namespace and in chroot before shutdown
umount: after other unmounting has happened
post-stop: outside of the container
stop and umount are not implemented here because when the kernel kills
the container init, it kills the namespace. We can probably work around
this, i.e. by keeping the /proc/pid/ns/mnt open, and using that, though
all container tasks including init would still be dead. Is that worth
pursuing?
start also presents a bit of an issue. openvz allows a script on the
host to be specified, apparently. My patch requires the script or
program to exist in the container. I'm fine with trying to do it the
openvz way, but I wasn't sure what the best way to do that was. Openvz
(I'm told) opens the script and passes its contents to a bash in the
container. But that limits the hooks to being only scripts. By
requiring the hook to be in the container, we can allow any sort of
hook, and assume that any required libraries/dependencies exist
there.
This could be done as generic 'lsm_init()' and 'lsm_load()' functions,
however that would make it impossible to compile one package supporting
more than one lsm. If we explicitly add the selinux, smack, and aa
hooks in the source, then one package can be built to support multiple
kernels.
The smack support should be pretty trivial, and probably very close
to the apparmor support.
The selinux support may require more, including labeling the passed-in
fds (consoles etc) and filesystems.
If someone on the list has the inclination and experience to add selinux
support, please let me know. Otherwise, I'll do Smack and SELinux.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
It optionally waits (an optional timeout # of seconds) for the container to
be STOPPED. If given -r, it reboots the container (and exits immediately).
I decided to add the timeout after all because it's harder to finagle into
an upstart post-stop script than a full bash script.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ubuntu-cloud.in: re-enable use of daily cloud images
There are two types of cloud images - released and daily ones. We were
always using daily ones, instead of using released by default with an
option for daily. Fix that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ubuntu.in: fix up the logic adding group for bound users
1. 'getent group $user' assumes user's group is named $user.
2. if 'getent group' returns error, just ignore the group in container
3. (misc) while it happens to all work out fine anyway, don't do
getent passwd $bindhome if $bindhome isn't defined. (it will
successfully return all password entries)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When creating a container as lvm snapshot, use the original size unless
user explicitly overrides it.
It's all well and good to day "use lvextend if you run out of space", but
in the meantime applications may become corrupted...
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
ubuntu template: add sudo group and cleanup minor devttydir issue
Always add the user to the 'sudo' group as it's been around
since at least Ubuntu 10.04. In addition make the user part
of the admin group until 12.04 where it's been removed.
Also fix a minor layout issue with devttydir.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>