Move ip_is_in_cidr checks on $d->{gw} into the
defined($d->{gw}) guarded if block to avoid warnings and
useless route files being created when using dhcp.
restore: delete config from container after restore
We don't need to leave /etc/vzdump/pct.conf or vps.conf in
the container's directory structure after using it, it only
causes the next backup to have the file twice in the
archive.
restore: make sure only the first pct.conf is extracted
When making a stop/snapshot mode backup of a container that
was already restored from a backup, its /etc/vzdump/pct.conf
file was replacing our newly created one in the archive. We
need to prevent the duplicate file from overwriting our new
one.
redhat: don't use aliases for dual stack networking
A static IPv6 as alias interface for ipv4 doesn't work (RH
has "secondaries" for that), DHCP on aliases doesn't work
either.
The only drawback of putting both in the same file is that
static addresses take longer to be configured if the DHCP
server is slow.
When only an ipv6 address was specified we still tried to
print an ipv4 address which warned and caused additional
newlines to be appended to the file on each start.
parse_ct_mountpoint and parse_lxc_mountpoint are now not usd
in schema verification anymore, so instead of returning
undef on error it can now die.
parse_ct_mountpoint now also gets a $noerr parameter as it
is used in foreach_mountpoint, and to be safe we'll just
skip invalid mountpoints there to avoid unexpected
inconsistent states.
Emmanuel Kasper [Wed, 14 Oct 2015 12:47:23 +0000 (14:47 +0200)]
Add new pct fsck command to check the mountpoints of a container
* the filesystem specific command will be called automatically by fsck
* the -a flag ensures that the filesystem can be fixed without any questions
* the -f flag forces a filesystem check even if the fs seems clean
(flags similar to what the fsck systemd unit uses)
Thomas Lamprecht [Wed, 30 Sep 2015 12:20:16 +0000 (14:20 +0200)]
fix hardcoded CT uptime in vmstatus
Implement the container uptime by susbtracting the ctime from the
container pid file from the actual time.
This mirrors the behaviour of lxcfs, see get_pid1_time() in lxcfs.c.
This hass some limitations, like frozen or live migrated containers
falsify the real uptime. But as it shows everytime the uptime like
a uptime command in the container would this is forgivable, for now.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
When using block device based snapshots we cannot mount the
filesystem as it's not clean, and we also can't replay the
journal without write access (as even `-o ro` writes to
devices when replaying a journal (see the linux docs under
Documentation/filesystems/ext4.txt section 3 option 'ro')).
So we need to use the "noload" option to avoid replaying the
journal.
vzdump:lxc: sync and skip journal in snapshot mode
We now perform a 'sync' after 'lxc-freeze' and before
creating the snapshot, since we now mount snapshots with
'-o noload' which skips the journal entirely.
mountpoint_mount: disallow symlinks in bind mounts
symlinks in mount paths can cause security issues
assume the following setup:
mp1: local:X,mp=/disk2
mp2: /mnt/shared,mp=/shared
Now the container boots and executes this sequence:
ct:# ln -s /var/lib/lxc/$VMID/etc /disk2/shared
ct:# umount /disk2
ct:# ln -s /mnt /disk2
ct:# umount /shared
ct:# rmdir /shared
ct:# ln -s /etc /shared
ct:# poweroff
Now the owner waits for a stop-mode backup of the container
to be created:
mp1 will be mounted to the host's /mnt because the
container's /disk2 is a symlink to /mnt.
mp2 will now access the replaced /mnt/shared, which is a
symlink to the container's /etc, and mount that over the
container's /shared, which is a symlink to the host's /etc.
Now until the backup is finished the container's owner could
log into the host via ssh using his container's user
credentials.
We'll also unshare the mount namespace when performing such
backups, but it's still a bad idea to allow symlinks
modifying mount container paths.
-) '-x' is '--one-file-system' (the longer version is easier
to spot.)
-) Use --relative's special handling of `/./` in paths in
order to make --one-file-system and --exclude options work
together the way they should.
Here's the issue:
Say you have thse files in your container:
/the-file
/mp0/the-file
And assume /mp0 is a mountpoint.
Naturally you want `-exclude-path /the-file` to only exclude
the first of the two files. This is hard when rsyncing each
mountpoint separately, as the rsync command for mp0 would
see files relative to /mp0, and thus both files would be
excluded unless we modify exclude paths accordingly - which
we can't as they can be arbitrary glob patterns.
Now with rsync's --relative option - assume the container is
mounted at /temp (iow: /temp/ and /temp/mp0). Passing
/temp/mp0/ to rsync would copy the contents of the mp0
mountpoint into the root directory of the destination
(essentially doing the equivalent of `mv mp0/* /` in the
container's backup.). However, rsync's special treatment of
/./ with the --relative option allows us to pass
/temp/./mp0/ which tells rsync that `/mp0` is supposed to be
included in the path, iow. we're actually copying from
/temp/, but we want only its mp0/ directory.
See rsync(1)'s section about --relative for a detailed
description.
Use the array-of-array version of run_command to build the
pipe, this should deal with most quoting issues.
Note that tar handles glob patterns in --exclude itself, so
quoting patterns instead of letting the shell resolve them
is also actually more correct.
To void at least some weird quoting issues, and since tar
has a --one-file-system option, always skips sockets and
also supports exclusion by pattern we now simply use tar
directly instead of passing files listed by 'find'.