lxc-oracle: allow installing from arbitrary yum repo
With this change, you can install a container from a mounted .iso, or any
yum repo with the necessary packages. Unlike the --url option, the repo
does not need to be a mirror of public-yum, but the arch and release must
be specified. For example to install OL6.5 from an .iso image:
mount -o loop OracleLinux-R6-U5-Server-x86_64-dvd.iso /mnt
lxc-create -n OL6.5 -t oracle -- --baseurl=file:///mnt -a x86_64 -R 6.5
The template will create two yum .repo files within the container such that
additional packages can be installed from local media, or the container can
be updated from public-yum, whichever is available. Local media must be bind
mounted from the host onto the containers' /mnt for the former .repo to work:
Recent fixes in the apparmor kernel code is now making at least the CI
environment and quite possibly some others fail due to an invalid path
in the pivot_root stanza.
So update both lines to allow a more generic pivot_root call for
anything in LXC's work directory.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In this patch I tried to stick with each file's coding style, however I
think we should probably change that. Every main() should always not
return and only exit; they should always return EXIT_SUCCESS or EXIT_FAILURE
with the only exceptions being cases where we are returning a child's
exit status (lxc_execute, lxc_attach, lxc_init).
When rebooting an unprivileged container, netpipe starts out
as not -1. If count_veths somehow changed this could lead
to trying to send data over nonexistent pipe. (Ok can't
*really* happen, as it currently stands, but it's an open
end)
Leonid Isaev [Tue, 1 Apr 2014 02:24:31 +0000 (22:24 -0400)]
archlinux: Code cleanups (v2)
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Leonid Isaev [Mon, 31 Mar 2014 21:14:34 +0000 (17:14 -0400)]
archlinux: Code cleanups
Cleanups:
1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf)
2. Remove duplicate lines from config
3. Print a nicer final message
4. Get rid of some grep's in favor of bash regex
Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When lxc-info's stdout is not line buffered (ie. "lxc-info -n foo |more")
the first three lines will be duplicated. This is because c->get_ips()
comes next and it forks and the child will exit() causing its fds to be
closed which flushes out its (fork duplicated) stdio buffers. The lines are
then duplicated when the parent actually gets around to flushing out its
stdio. This causes problems for programs (such as the lxc-webpanel) which
are popen()ing lxc-info.
The fix here isn't necessarily the right one, but does show what the
problem is. Seems like maybe we should fix this inside of get_ips(), for
other API callers as well.
Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,
Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.
This should help it run better on slow test environment like the LXC CI
armhf builder.
- Wait longer for the container to start
- Wait longer for the container to shutdown
- On failure to shutdown, kill the container
- Always destroy the container if it's around
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 29 Mar 2014 02:05:31 +0000 (21:05 -0500)]
apparmor: auto-generate the blacklist rules
This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.
Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.
With this policy, libvirt in a container is able to start its
default network, which previously it could not.
v2: address feedback from stgraber
put lxc-generate-aa-rules.py into EXTRA_DIST
add lxc-test-apparmor, container-base and container-rules to .gitignore
take lxc-test-apparmor out of EXTRA_DIST
make lxc-generate-aa-rules.py pep8-compliant
don't automatically generate apparmor rules
This is only bc we can't be guaranteed that python3 will be
available.
Dwight Engen [Thu, 27 Mar 2014 20:46:38 +0000 (16:46 -0400)]
add yum plugin to repatch rootfs on yum update
oracle-template: Split patching rootfs vs one time setup into separate
shell functions so the template can be run with --patch.
oracle-template: Update to install the yum plugin and itself (as lxc-patch)
into a container. The plugin just runs lxc-patch --patch <path> so it is
fairly generic, but in this case it is running a copy of the template inside
the container.
Serge Hallyn [Thu, 27 Mar 2014 15:36:06 +0000 (10:36 -0500)]
move lxc-init to /sbin/init.lxc
Using the multiarch dir causes problems when running lxc-execute
on amd64 with an i386 container. /sbin/lxc-init is a more confusing
name and will show up in 'lxc<tab>'. /sbin/init.lxc should be quite
obvious as an init for lxc.
Add LXC_NET_NONE to known lxc_network_types, so parsing a config
file with lxc.network.type = none does not result in failure
(e.g. doc/examples/lxc-no-netns.conf). Options have also been
reordered to match the enum in conf.h.
Serge Hallyn [Tue, 25 Mar 2014 20:50:06 +0000 (15:50 -0500)]
commands: handle epipe
If we start a lxc_wait on a container while it is exiting, it is
possible that we open the command socket, then the command socket
monitor closes all its mainloop sockets and exit, then we send our
credentials. Then we get killed by SIGPIPE.
Handle that case, recognizing that if we get sigpipe then the
container is (now) stopped.
Added root_password_expired password control tuning knob.
Added the environment variable "root_password_expired" to
control if the initial, temporary, root password is initially
set up as "expired". If set to "yes" (default), the root password
is set as "expired" and the user must change it at first login.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Set timezone for new container if not previously defined.
If the container does not already contain an /etc/localtime
timezone definition, then copy a definition from the host to
the container. This is often a symlink to an appropriate
system timezone definition files and is presumed to exist in
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix arch cross-build when running distro cross-build.
Corner case existed when building a cross-arch container (i686 on x86_64)
on a cross-distro host (Fedora container on Ubuntu host). Fixed the
arch "fixup" code to do the right thing when running from the bootstrap.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Dwight Engen [Tue, 11 Mar 2014 19:44:54 +0000 (15:44 -0400)]
fix console stdin,stdout,stderr fds
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init
in the container were those from /dev/tty or lxc.console (if given), which
wasn't right. Inside the container it should only have access to the pty
that lxc creates representing the console.
This was noticed because busybox's init was resetting the termio on its
stdin which was effecting the actual users terminal instead of the pty.
This meant it was setting icanon so were were not passing keystrokes
immediately to the pty, and hence command line history/editing wasn't
working.
Fix by dup'ing the console pty to stdin,stdout,stderr just before
exec()ing /sbin/init. Fix fd leak in error handling that I noticed while
going through this code.
Also tested with lxc.console = none, lxc.console = /dev/tty7 and no
lxc.console specified.
V2: The first version was getting EBADF sometimes on dup2() because
lxc_console_set_stdfds() was being called after lxc_check_inherited()
had already closed the fds for the pty. Fix by calling
lxc_check_inherited() as late as possible which also extends coverage
of open fd checked code.
V3: Don't move lxc_check_inherited() since it needs to be called while
the tmp proc mount is still mounted. Move call to lxc_console_set_stdfds()
just before it.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 20 Mar 2014 04:55:00 +0000 (23:55 -0500)]
mutex cgmanager access
It looks like either libdbus or libnih is showing some corruption with
threaded access to the cgmanager-client library. Until we can
straighten that out, mutex access to the cgmanager.
The worst part of this is having to take and drop the mutex at every
fork. This also means that we can't keep a connection open for the
duration of container startup, since that would deadlock forks.
If we were going to keep it like this, then we could get rid of some
code in start.c. However we take a performance hit here which I
really hope we can rectify soon.
The other approach we could take would be to keep a global count of
references to cgroup_manager. Mutex the open, close, and each use
of the cgroup_manager proxy (and the inc/dec of the refcount). This
way we could in fact keep the connection open for the duration of
container start. The atfork handler child_fn would have to close
the connection if open.
Holger Amann [Wed, 19 Mar 2014 06:06:13 +0000 (07:06 +0100)]
debian: Symlink /etc/mtab
/etc/mtab doesn’t exist after bootstrapping a debian container, and will
be created as regular file after first start.
That leads to at least two errors:
- output of `mount` is wrong and get messed up the more often you
start/stop the container
- /dev/pts/ptmx has wrong permissions
Dwight Engen [Tue, 11 Mar 2014 18:48:32 +0000 (14:48 -0400)]
make failure to connect to cgmanager DEBUG instead of ERROR
You can have both cgmanager and cgfs compiled in, and lxc will fall back
at runtime to cgfs if it cannot connect to cgmanager, so print the failure
to connect as a DEBUG like the code used to do.
Serge Hallyn [Tue, 11 Mar 2014 02:41:34 +0000 (21:41 -0500)]
cgmanager: avoid stray dbus connections
There are two parts to this fix.
First, create a private DBusConnection manually, instead of using
nih_dbus_connect. The latter always creates a shared connection,
which cannot be closed. Note: creating an actual shared connection,
mutexing it among all threads, and creating per-thread proxies would
be an alternative - however we don't want long-lived connections as
they tend not to be reliable (especially if cgmanager restarts).
Second, use pthread_setspecific to create per-thread keys which can
be associated with destructors. Specify a destructor which closes
the dbus connection. If a thread dies while holding cgmanager,
the connection will be closed. Otherwise, we close the connection
and unset the key.
Dwight Engen [Fri, 7 Mar 2014 21:49:25 +0000 (16:49 -0500)]
fix fd leak in test-concurrent
Opening a debug log for every thread at every iteration of test-concurrent
causes it to quickly run out of fd's because this fd is leaked. Fix this
by adding a new api: lxc_log_close().
As Caglar noted, the log handling is in general a bit "interesting" because
a logfile can be opened through the per-container api
c->set_config_item("lxc.logfile") but lxc_log_fd is now per-thread data. It
just so happens in test-concurrent that there is a 1:1 mapping of threads
to logfiles.
Split out getting debug logs from quiet since I think they are useful
separately. If debug is specified, get a log of any mode, not just during
start.
Stéphane Graber [Fri, 7 Mar 2014 20:29:12 +0000 (15:29 -0500)]
lxc-create: Require --template be passed
It's often been reported that the behavior of lxc-create without -t is a
bit confusing. This change makes lxc-create require the --template
option and introduces a new "none" special value which when set will
fallback to the old template-less behavior.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Fri, 7 Mar 2014 18:32:16 +0000 (13:32 -0500)]
lxc-autostart: Add a new --ignore-auto/-A flag
When passed, this flag will cause lxc-autostart to ignore the value of
lxc.start.auto.
This then allows things like: lxc-autostart -s -a -A
Which will select all containers regardless of groups (-a), regardless
of whether they are actually marked as auto-started (-A) and will shut
them down (-s).
Update our init scripts to use the new feature.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Fri, 7 Mar 2014 18:24:27 +0000 (12:24 -0600)]
lxc: manually move NICs back to host after container stops
This prevents things like bridges from being destroyed by the kernel.
My hope is that just doing this will be enough to also ensure that
the device will be available to be renamed immediately, so that
we don't need to do a retry loop.
Tested with a dummy device. renaming dummy0 to dummy5 in container,
then shutting down container, returns dummy0 to the host.
S.Çağlar Onur [Fri, 7 Mar 2014 04:27:05 +0000 (23:27 -0500)]
put shared variables into thread-local storage
This doesn't solve the general design problem of the log.c (eg; some log lines
got lost or scattered into multiple files) but at least prevent multithreaded
code from crashing.
Before this change something like following;
sudo src/tests/lxc-test-concurrent -i 10 -j 20
was crashing nearly all the time due to 3afbcc4600a as we started to
set lxc.loglevel and lxc.logfile with that commit.
Dwight Engen [Wed, 5 Mar 2014 20:48:39 +0000 (15:48 -0500)]
fix console stdin,stdout,stderr fds
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init
in the container were those from /dev/tty or lxc.console (if given), which
wasn't right. Inside the container it should only have access to the pty
that lxc creates representing the console.
This was noticed because busybox's init was resetting the termio on its
stdin which was effecting the actual users terminal instead of the pty.
This meant it was setting icanon so were were not passing keystrokes
immediately to the pty, and hence command line history/editing wasn't
working.
Fix by dup'ing the console pty to stdin,stdout,stderr just before
exec()ing /sbin/init. Fix fd leak in error handling that I noticed while
going through this code.
Also tested with lxc.console = none, lxc.console = /dev/tty7 and no
lxc.console specified.
Serge Hallyn [Tue, 4 Mar 2014 20:54:04 +0000 (14:54 -0600)]
snapshot: fix overlayfs restore
And add a testcase to catch regressions.
Without this patch, restoring a snapshot of an overlayfs based
container fails, because we do not pass in LXC_CLONE_SNAPSHOT,
and overlayfs does not support clone without snapshot.
Serge Hallyn [Tue, 4 Mar 2014 18:18:08 +0000 (12:18 -0600)]
cgmanager: switch to TLS
Drop the thread mutex. Set a (TLS) boolean at container start to
indicate that the connection should be kept open; set it back to false
only when container start is complete. Every cgm_ method opens the
connection if not already open, and closes it if cgm_keep_connection
is false.
Serge Hallyn [Mon, 3 Mar 2014 22:39:00 +0000 (16:39 -0600)]
cgmanager updates
1. remove the cgm_dbus_disconnected handler. We're using a proxy
anyway, and not keeping it around.
2. comment most of the cgm functions to describe when they are called, to
ease locking review
3. the cgmanager mutex is now held for the duration of a connection, from
cgm_dbus_connect to cgm_dbus_disconnect.
3b. so remove the mutex lock/unlock from functions which are called during
container startup with the cgmanager connection already up
4. remove the cgroup_restart(). It's no longer needed since we don't
daemonize while we have the cgmanager socket open.
5. report errors and return early if cgm_dbus_connect() fails
6. don't keep the cgm connection open after cgm_ops_init. I'm a bit torn
on this one as it means that things like lxc-start will always connect
twice. But if we do this there is no good answer, given threaded API
users, on when to drop that initial connection.
7. cgm_unfreeze and nrtasks: grab the dbus connection, as we'll never
have it at that point. (technically i doubt anyone will use
cgmanager and utmp helper on the same host :)
8. lxc_spawn: make sure we only disconnect cgroups if they were already
connected.
Stéphane Graber [Tue, 4 Mar 2014 18:20:10 +0000 (13:20 -0500)]
lxc-ls: Fix support of --nesting for unpriv
This reworks the way lxc-ls works in nesting mode. In the past it'd use
attach_wait's subprocess function to call itself in the container's
namespace, carefully only attaching to the namespaces it needed.
This works great for system containers but not so much as soon as you
also need to attach to userns. Instead this fix moves all of the
container listing code into a get_containers function (hence the massive
diff, sorry), this function is then called recursively.
For running containers, the function is called through attach_wait
inside the container's namespace, for stopped container, the function is
simply called recursively with a base path (container's rootfs) in an
attempt to find containers that way.
Communication between the parent lxc-ls and the child lxc-ls is done
through a temporary fd and serialized state using json (similar to what
was done using stdout in the previous implementation).
As get_global_config_item unfortunately caches the values, there's no
easy way to figure out what the lxcpath should be for a root container
when running as non-root, so just use @LXCPATH@ for now and have
python do the parsing itself.
As a result, the following things now work as expected:
- listing nested unprivileged containers (root containers inside unpriv)
- listing nested containers when they're not running
- filtering containers in nesting mode (only the first level is filtered)
- copy with invalid config (used to traceback)
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Natanael Copa [Tue, 4 Mar 2014 09:50:27 +0000 (09:50 +0000)]
lua: respect configure's --prefix
Install lua files under the confiugred --prefix rather than use the
pkg-config's variables LUA_INSTALL_[CL]MOD.
Users will likely want user --prefix while packagers will use DESTDIR.
Set the default to $datadir/lua/$LUA_VERSION for arch independent
lua modules and $libdir/lua/$LUA_VERSION for arch dependant .so module.
This should work for most distros. If it does not, then packagers
can still do:
make install lualibdir=$(pkg-config lua --variable=INSTALL_CMOD) ...
Serge Hallyn [Mon, 3 Mar 2014 19:57:14 +0000 (13:57 -0600)]
clone: don't set new containers' rootfs to the old
If clone is called from the api, the container object in memory
retains the bad fs. The line is wrong, being a leftover from a
previous attempt before copy_storage was moved earlier.
Stéphane Graber [Mon, 3 Mar 2014 16:31:03 +0000 (11:31 -0500)]
Fix typo I introduced in the bdev change.
When adding the missing return value in Caglar's change (as discussed on
the mailing-list), I set err = -1 instead or ret = -1, causing an
obvious build failure...