That should be enough for snapd on unprivileged containers.
For privileged containers we'd also need a way to not drop
the mac_admin capability - not sure we'd want that.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Tim Marx [Tue, 9 Oct 2018 11:34:14 +0000 (13:34 +0200)]
close #1940: pct console: added ability to specify escape sequence
added clarification about behavior when passing -1 to escapechar
restored former behavior in other uses of get_console_command
added meaningful tag to commit message
Currently the autodev hook only adds device nodes, but in
order for the container to use them we also need to add
entries to the devices cgroup to both the limiting and the
namespaced devices cgroup directory.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
we use perl modules from pve-firewall and some build steps fail if
isn't installed, e.g., happening on bootstrapping.
pve-firewall includes some modules from us but does so in a way which
can cope with a not-installed pve-container (or qemu-server for that
matter).
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Our checks for .pve-ignore.* files happen at write time so
we mostly don't have to think about them within the
functions dealing with them. /etc/hosts is one of the files
we need nowhere except when updating it, and there are some
tools managing it and producing files too large for our
default file_get_contents() size limit, so here we want to
skip early to avoid an error at read time.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Upstream's templates seem to have switched to systemd-networkd for
fedora > 25. Since then various workarounds have been suggested (starting
the legacy network.service in /etc/rc.local). This patch tries to accomodate
both network-configuration options for the affected and available templates
(25, 26, 27), by configuring both services.
Wolfgang Link [Wed, 6 Jun 2018 13:21:45 +0000 (15:21 +0200)]
fix #1778: check if storage support templates
LXC can only create templates on storages which support linked clones.
To prevent this, we will check before we convert to a template if the
storage support this.
Wolfgang Link [Tue, 5 Jun 2018 10:58:47 +0000 (12:58 +0200)]
fix #1792: Do not assign vars in conditional statement
If a variable is defined and assigned in a conditional statement,
it is not defined behavior in Perl.
For more inforamtion about this behavior see
https://perldoc.perl.org/perlsyn.html#Statement-Modifiers
"NOTE: The behaviour of a my, state, or our modified with a statement
modifier conditional or loop construct (for example, my $x if ... )
is undefined.
The value of the my variable may be undef, any previously assigned
value, or possibly anything else.
Don't rely on it. Future versions of perl might do something different
from the version of perl you try it out on. Here be dragons."
we only handled the special rootfs mount so creating a template
from a container with additional mountpoint did not work correctly.
Use foreach_mountpoint to create a base vdisk for all mount points
after checking if the storage supports it
otherwise the size information gets lost when detaching and reattaching
a mountpoint volume, which is less than ideal since mountpoints without
size information require manual information when restoring.
This finishes the work started with 07084526aa4a ("create:
open templates as real root"), which opened templates as
real root, but passed it to tar via /proc/*/fd, which does
not actually bypass the check. (Curiously tar did manage to
figure out the file extension from it).
In order to actually extract templates the unprivileged user
cannot access by themselves, we need to pass it to tar via
stdin, however, this means tar cannot auto-detect the
compression (or more accurately, it can and does, but tells
you which option to pass it rather than just extracting
it...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
systemd-networkd keeps trying to use keyctl() and if it
refuses to work it is apparently a fatal error, so let's
make it think keyctl() support doesn't actually exist by
letting it always fail with ENOSYS.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alwin Antreich [Wed, 14 Mar 2018 12:51:55 +0000 (13:51 +0100)]
Fix pct skiplock
The method vm_start sets an environment variable that is not picked up
anymore by systemd. This patch removes the environment variable and
introduces a skiplock file that is picked up by the
lxc-pve-prestart-hook.
Alwin Antreich [Fri, 9 Mar 2018 15:14:59 +0000 (16:14 +0100)]
Fix #1547: on migration abort, the CT starts again
When a migration fails, the final_cleanup phase now starts the container
on the source node again, if it was a migration in restart_mode and the
CT was running.
Thomas Lamprecht [Fri, 16 Feb 2018 07:40:48 +0000 (08:40 +0100)]
close #1668: add Devuan support
Add separate Plugin as the Debian Plugin will get more systemd
specific stuff in the future, while this here is as anti-systemd as
it gets, so make the split from the start.
But only overwrite the plugin constructor for now, the rest is still
backward compatible.
Short nack history:
In PVE 4 Beta we introduced LXC as our new container technology.
Initially we did not used the our section config format for its
configuration file in /etc/pve . It was then decided to reuse our
config format (section config), so that we do not need to maintain a
separate parser, and that VM and CT config where not completely
different, which could confuse users.
This script was added to allow an easy transition from the old LXC
config format to the new Proxmox SectionConfig one.
All new installations since, and including, PVE 4.0 never needed this.
And all beta users must go through PVE 4.4 if they want to
dist-upgrade to PVE 5.0, so just remove it - it's forever tracked in
git anyway
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>