Chris Glass [Wed, 15 Jan 2014 15:37:46 +0000 (16:37 +0100)]
Fix small mistake with squid-deb-proxy hook
I unfortunately realized that I did not push the latest version of the
file. This fixes an issue in the case where we want to create the proxy
file in the container (not nested).
Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Qiang Huang [Wed, 15 Jan 2014 02:45:18 +0000 (10:45 +0800)]
lxccontainer.c: check lxc_conf before referance haltsignal
If we start container with rcfile(see comments in lxc_start.c), it
is possible that we have no config file in /usr/local/var/lib/lxc.
So when we try lxc_stop, lxc_container_new will not load any config
so we'll get c->lxc_conf = NULL.
In that case, we'll get Segmentation fault in lxcapi_shutdown, a
simple check would fix this.
Stéphane Graber [Tue, 14 Jan 2014 23:25:44 +0000 (18:25 -0500)]
Fix return value of userns_exec_1
Instead of always returning -1 and call SYSERROR when the child returns
non-zero. Have userns_exec_1 always return the return value from the
function it's calling and let the caller do the error handling (as is
already done by its only caller).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 22:24:14 +0000 (17:24 -0500)]
lxc-archlinux: Cleanup fstab
It's been brought to my attention that the read-only mount of /proc/sys
is causing problems to archlinux users, so instead just have LXC mount
proc and sysfs normally (read-write).
Reported-by: John Lane <john@lane.uk.net> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Modify lxc-fedora and lxc-centos for multiple issues...
This is a reissue of two previous patches along with some additional
changes for hardening the root password process based on discussions
on-list.
--
This patch modifies the lxc-fedora and lxc-centos templates for 3 things.
1) Extensively modifies root password generation, storage, and management
based on discussions on the devel list.
Root passwords are hardened and have advanced configurability.
A static password may be provided.
A password based on a template may be generated, including ${RANDOM}.
A password may be generated through mktmp using a template with X's.
Root passwords default to expired, initially.
Passwords may optionally be echoed to stdout at container creation. (no)
Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes)
Users may be optionally forced to change the password at creation time. (no)
Default is to generate a pattern based password and store, no force change.
All of this may be overridden by environment variables through
conditional assignment.
2) Random static hardware addresses are generated for all configured
interfaces.
3) Add code to create sysv init style scripts to intercept shutdown and
reboot to prevent init restart and hang for CentOS and legacy Fedora
systems on shutdown, reboot, init 0, and init 6. This solves a variety
of hang conditions but only affects newly created containers. Does
not have any impact on systemd based containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Serge Hallyn [Mon, 13 Jan 2014 17:08:48 +0000 (11:08 -0600)]
api change: default container->daemonize to true
Pretty much the only case where we do NOT want to daemonize
a container start is lxc-start. So make c->daemonize true
by default, and have lxc-start set it to false.
If there are existing API users who rely on daemonize by
default, then they will be broken by this. It seems we should
do this before beta1 if we're going to do it.
Chris Glass [Thu, 9 Jan 2014 16:40:12 +0000 (16:40 +0000)]
Make ubuntu templates squid-deb-proxy-client aware
This makes the ubuntu and ubuntu-cloud templates automatically aware of apt
proxy settings when the LXC host has "squid-deb-proxy-client" installed. This
makes installations *much* faster when a suitable squid-deb-proxy is
found on the network (or installed on the host).
Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 20:02:42 +0000 (15:02 -0500)]
download: Improve cache handling
This adds a new --force-cache parameter which will force use of the
cache even for expired images.
An expired image is now only flushed from the cache once a new one is
successfuly downloaded (to avoid destroying the local cache when the
host doesn't have internet connectivity).
The ID of the build in cache is also tracked so that we don't
re-download something we already have (should only happen if we don't
have a new build published by the time the previous one expires).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 19:12:33 +0000 (14:12 -0500)]
download: Don't use an hardcoded exclude list
Instead of hardcoding --exclude=./dev/*, use a new metadata file
"excludes" which lists all the paths or patterns to exclude during
extraction (one per line).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Mon, 13 Jan 2014 21:26:49 +0000 (15:26 -0600)]
cgroup: move all some functions into cgroup.h
Some functions which wanted to know about cgroup paths were located
in other files. Move them into cgroup.c, so that all knowledge of
the cgroup backend can be colocated.
Serge Hallyn [Mon, 13 Jan 2014 16:02:29 +0000 (10:02 -0600)]
This change introduce mac address templating.
By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each
"x" will be replaced by a random value. If less significant bit of
first byte is "templated", it will be set to 0.
This change introduce also a common randinit() function that could be
used to initialize random generator.
Serge Hallyn [Mon, 13 Jan 2014 02:45:00 +0000 (20:45 -0600)]
introduce lxc-unpriv test
It simply creates a test user and tries to create and start
a container as that user. Tries to lxc-attach to that
container to test network connectivity.
Dwight Engen [Thu, 9 Jan 2014 20:36:13 +0000 (15:36 -0500)]
ensure all config items are duplicated on clone/write_config
Since previously I had found a config item that wasn't being propagated
by lxc-clone, I went through all the config items and made sure that:
a) Each item is documented in lxc.conf
b) Each item is written out by write_config
The only one that isn't is lxc.include, which by its nature only pulls
in other config item types.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 06:14:26 +0000 (00:14 -0600)]
cgroup: recursively delete cgroups when asked
Currently when a container is shut down, lxc walks the set of all
cgroup paths it created, in reverse order, and tries to remove them.
This doesn't suffice if the container has also created new cgroups.
It'd be impolite to recursively remove all the cgroup paths we created,
since this can include '/lxc' and thereunder all other containers
started since.
This patch changes container shutdown to only delete the container's own
path, but do so recursively. Note that if we fail during startup,
the container won't have created any cgroup paths so it the old
way works fine.
Stéphane Graber [Fri, 10 Jan 2014 22:28:07 +0000 (17:28 -0500)]
download: Initial template
This adds a new template called "download". It's a fairly simple
template with a minimal set of dependency which will grab any pre-built
image available on https://images.linuxcontainers.org
Note that the serverside is still work in progress (missing SSL support).
Access is done over https by default with a warning being emitted if
fallback to http was required (may be needed for testing, when behind
proxy and with private servers). All index files and tarballs are
gpg-signed with the default pubkeyid contained in the template itself.
The main benefit of this template is to be entirely
distribution-agnostic, any template that can be integrated with the
server build infrastructure will then work on any LXC machine when using
the download template. This template is also compatible with user
namespaces and will hopefully help widden the number of distros that may
work in unprivileged LXC.
This commit also bundles a small change to the template configs to have
the ubuntu template (used by the download template) to work with
unprivileged LXC.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 03:48:30 +0000 (21:48 -0600)]
Fix bug in preserve_ns
If /proc/self/ns does not exist, then preserve_ns was failing to
initialize the saved_ns[i] to -1. This caused attach_ns() to try
and attach, and of course fail.
Initialize the saved ns values before returning an error.
The return values of preserve_ns and attach_ns were also being
ignored. Honor them.
Stéphane Graber [Thu, 9 Jan 2014 22:31:52 +0000 (17:31 -0500)]
Re-organize API for global lxc.conf config
Instead of having one function for each possible key in lxc.conf which
doesn't really scale and requires an API update for every new key,
switch to a generic lxc_get_global_config_item() function which takes a
key name as argument.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stephen Ayotte [Thu, 2 Jan 2014 19:30:26 +0000 (14:30 -0500)]
Support large bdevs on 32-bit; MB units by default.
Change all instances of "unsigned long" where referring to a bdev size
to uint64_t; this fixes some overflows on 32-bit machines, where
"unsigned long" is uint32_t. Support all unit-sizes supported by LVM
except 's' and 'e' [bkmgt]. Print a warning and use default bdev-size if
invalid unit-size specified.
Signed-off-by: Stephen Ayotte <stephen.ayotte@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
KATOH Yasufumi [Mon, 6 Jan 2014 09:05:39 +0000 (18:05 +0900)]
doc: Update man pages to the latest information
* lxc-attach(1): Update to the status of kernel 3.8 or higher
* lxc-create(1), lxc-destroy(1): Now lxc-ls don't have "-l" option, so remove
* lxc(7): update description of lxc-ls and lxc-info to current version
* see-also: fix lxc(1) to lxc(7)
S.Çağlar Onur [Sat, 4 Jan 2014 05:00:04 +0000 (00:00 -0500)]
check pthread_atfork and thread-local storage
Add pthread_atfork check to configure.ac and uses it when necessary,
Introduces tls.m4 macro for checking thread-local storage support, Puts
values array into thread-local storage
(lxc_global_config_value@src/lxc/utils.c), Removes
static_lock/static_unlock from LXC code.
Lastly, it introduces a warning for bionic users about multithreaded
usage of LXC.
Dwight Engen [Tue, 31 Dec 2013 19:21:55 +0000 (14:21 -0500)]
add lxc-autostart support for sysv init systems
This change updates the way init scripts get installed so that more
than one init system can be supported. Instead of installing the
systemd service file from the spec file, it should be installed at
make install time, so that someone compiling from source also gets
the unit file installed.
Update the plamo template to use a lock file not named just
/var/lock/subsys/lxc since the presence of that file is used by
sysv init rc file to know if it should run the K01lxc script. This
also makes it consistent with the other templates which use
/var/lock/subsys/lxc-$template-name.
Serge Hallyn [Wed, 1 Jan 2014 19:43:35 +0000 (13:43 -0600)]
snapshot: enforce keeping same backing store type (v2)
Stéphane noticed that lxc-snapshot of a dir-backed container
created an overlayfs container. The expectation is that the
user can continue to modify the original container and later make
a new snapshot, but this doesn't work with the existing behavior -
the overlayfs clone will end up with the modified contents.
So add a 'LXC_CLONE_KEEPBDEVTYPE' flag, which c->snapshot()
passes to c->clone().
Also add a LXC_CLONE_MAYBE_SNAPSHOT. If this is set and a
backing store does not support snapshotting, then proceed with
a copy clone.
Dwight Engen [Tue, 31 Dec 2013 19:21:49 +0000 (14:21 -0500)]
change lxc-autostart shutdown to behave like lxc-stop
It is desirable to have a mode where a soft shutdown is requested,
but then do a hard shutdown if after some time period the container
has not shut down. This the default behaviour of lxc-stop, but is
not currently possible with lxc-autostart. This change makes this
the default behaviour when shutdown is specified to lxc-autostart.
This will be very useful for init scripts.
An indefinte wait for soft shutdown (though I'm not sure how that
would be useful) is still possible by passing a timeout of 0.
Change default timeout value to 60 seconds to match lxc-stop
Additional logic for dealing with container shutdown / reboot
Additional logic for dealing with container shutdown / reboot
Fix a problem with CentOS containers and legacy Fedora (<16) containers
not shutting down or rebooting properly. Copy /etc/init.d/halt to
/etc/init.d/lxc-halt, deleting everything from the "hwclock save" and
all after and append a force halt or reboot at the end of the new
script, to prevent reexecing init. Link that script in as
S00lxc-halt in rc0.d and S00lxc-reboot in rc6.d to intercept the
shutdown process before it gets to S01halt / S01reboot causing the hang.
Fixed some typos in the CentOS template that were introduced in the
previous patch for hwaddr settings and missed in regression testing.
Cleaned up some instruction typos and tabs from previous patch.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Andrey Mazo [Tue, 24 Dec 2013 17:08:13 +0000 (21:08 +0400)]
Mark functions as static and arguments/arrays as const where possible
Mark most of functions that are used within only one file as static.
After 95ee490bbdb97ab2b4f1dfa63a0a26e0dd1c2f17 it's easy to prove they
are not in public API.
Several arrays and structs are also marked static.
This prevents them from being exported from liblxc.so
Serge Hallyn [Thu, 2 Jan 2014 15:40:16 +0000 (09:40 -0600)]
Revert "Use pthread_atfork() to unlock mutexes after fork()"
This reverts commit 84e9e197933e601b66480da578b92630ebedfc72, because
it breaks bionic builds. The patch is desirable so hopefully we can
come up with a solution or alternate patch soon.
KATOH Yasufumi [Fri, 27 Dec 2013 16:35:22 +0000 (01:35 +0900)]
doc: Improve Japanese man pages
* Improve Japanese translation
* Fix mis-translation
* Insert linefeed between paragraph, because some paragraph is too
long, so sometimes git send-email could not use.
Fix version checking and deal with pam_loginuid in CentOS template.
This deals with a reported issue when running and building containers
on a CentOS host system.
Fixed various typos in version checking when running on a CentOS system.
Added logic for differences between point releases (6.5) and rolling (6).
Added version detection logic when running on RHEL systems as well.
Fixed cpe detection string (CentOS is not adhering to their own registration).
Added logic to disable the pam_loginuid.so binary in containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Andrey Mazo [Tue, 24 Dec 2013 17:08:14 +0000 (21:08 +0400)]
Remove unused functions
After 95ee490bbdb97ab2b4f1dfa63a0a26e0dd1c2f17 they are not in public
API and are not used throughout the lxc codebase.
This has a bonus of removing workaround for bionic.
Signed-off-by: Andrey Mazo <mazo@telum.ru> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
S.Çağlar Onur [Tue, 24 Dec 2013 19:04:10 +0000 (14:04 -0500)]
add travis-ci support to LXC github repo (v2)
Travis is a free hosted CI platform for the open source community. It integrates
well with github and enables continous builds/tests for both repository itself
and all the pull requests so that one can quickly see the result of the possible
merge.
This yml file is one of the few required steps to enable travis-ci support for
LXC github repo. One of you guys still need to sign in travis-ci through GitHub OAuth
and enable travis support from its profile page https://travis-ci.org/profile
As an example https://travis-ci.org/caglar10ur/lxc-upstream/builds/15872074 can be seen
changes since v1;
- All external dependencies are now innstalled via before_install section
- Dropped all configure flags as Stéphane suggested