dlezcano [Mon, 17 Nov 2008 16:01:34 +0000 (16:01 +0000)]
Add return error status in the different functions
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Add the most known error to the different API to be followed up by the
caller, so we can later show a better message to the user when something
goes wrong. The error catching is coarse grain right now but will be improved,
step by step.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Fri, 14 Nov 2008 16:16:35 +0000 (16:16 +0000)]
Change at compilation time the destruction of the network devices
From: Daniel Lezcano <dlezcano@fr.ibm.com>
The future kernel version will automatically autodestroy the network devices
when the network namespace exits. This is not the case for the current version.
In order to handle the both cases, I added a configuration option to disable
the network destruction when the container exits:
--disable-network-destroy
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Fri, 14 Nov 2008 15:42:59 +0000 (15:42 +0000)]
Fix cgroup configuration format
From: Daniel Lezcano <dlezcano@fr.ibm.com>
This modification change the configuration format. Instead of creating
a 'cgroup' directory with a file per controller, a single file is used
to store the different value for the control groups. That allows to assign
several values to the same controller like "devices.allow" and keep the same
assignation order as defined in the configuration.
In order to keep compatibility, when the old cgroup format is detected, it
is automatically converted to the new format.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 13 Nov 2008 16:53:23 +0000 (16:53 +0000)]
Add setpcap capabilty to be able to drop the sys_boot capabilty.
From: Daniel Lezcano <dlezcano@fr.ibm.com>
Previously, we dropped the CAP_SYS_BOOT capabilty. Unfortunatly if we are
non root user, we are not able to do that. So I had the CAP_SETPCAP to
lxc-execute and lxc-start command line to remove this capabilty.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Thu, 13 Nov 2008 15:21:55 +0000 (15:21 +0000)]
Replace lxc_execute by an intermediate lxc_init
From: Daniel Lezcano <dlezcano@fr.ibm.com>
The main difference between lxc_start and lxc_execute is the latter creates
an intermediate process to wait for all the childs. That allows to support
daemons or orphan process group for the pid namespace.
Having such difference makes the code to be duplicate between the two
functions. So instead of doing this, I create an intermediate <init> program
which is in charge to launch the specified command. This command is the
lxc-init program taking different options:
--mount-procfs : mount the proc filesystem before exec'ing the command
--mount-sysfs : mount the sys filesystem before exec'ing the command
A double dash indicates the end of the options of lxc-init and the beginning
of the command to be launched.
To summarize:
* lxc_execute function is no more.
* lxc-execute command uses the lxc_start function and launch the specified
command via lxc-init
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Wed, 5 Nov 2008 19:51:21 +0000 (19:51 +0000)]
Add guidelines for contribution to the 'lxc' project
From: Daniel Lezcano <dlezcano@fr.ibm.com>
CONTRIBUTING file give the guidelines to submit patches to this project.
MAINTAINERS contains the maintainer name and mailing list to send the patches.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
dlezcano [Sun, 26 Oct 2008 22:06:49 +0000 (22:06 +0000)]
Fixed different compilation scheme by making /var/lxc directory relative to
the installation prefix and by adding some extra path to search for the
'setcap' command.
dlezcano [Fri, 24 Oct 2008 20:14:57 +0000 (20:14 +0000)]
Give the ability to non-root user to play with the containers. This feature
relies on the file capabilities, when the lxc commands are installed, the
sys/net admin capabilities are given to these files. These capabilities are
not available for the application running inside the container.
dlezcano [Mon, 20 Oct 2008 11:45:19 +0000 (11:45 +0000)]
This new command is a helper to check if the needed functionalities are
compiled the kernel. It relies on /proc/config.gz, if it is not compiled,
the command will simply fail.
If a feature is missing but not mandatory, "disabled" keyword will appear
in yellow, if it is mandatory, it will appear in "red", otherwise the key
word "enabled" will appear in green.
dlezcano [Sat, 18 Oct 2008 21:07:39 +0000 (21:07 +0000)]
These modifications improve the monitoring support of the container. Now
several readers can attend the events from one or several containers.
The syntax of the command has been enhanced to interpret regular expressions.
If you want to monitor foo, lxc-monitor -n foo is the right command. If you
want to monitor foo and bar, you should specify lxc-monitor -n "foo|bar",
if you want to monitor all containers with the name beginning with 'foo',
you have to specify lxc-monitor -n "foo.*". More complex regexp can be specified
in accordance with the POSIX definitions, man regex (7).
dlezcano [Tue, 7 Oct 2008 14:24:56 +0000 (14:24 +0000)]
Add a command line to setup/retrieve value of cgroup subsystem, lxc-cgroup -n <container name> <subsystem> [value]. If the value is specified, the subsystem is modified, if it is not specified, the value of the subsystem is returned
dlezcano [Mon, 6 Oct 2008 18:47:19 +0000 (18:47 +0000)]
Add cgroup support, the configuration file should be specified with the format:
lxc.cgroup.xxx = yyy
where xxx is a cgroup subsystem (eg. cpu.shares) and the yyy is the value to
be set.
If no configuration file is specified or the container was not created before.
The lxc-execute command will automatically create a new container and destroy
it when it dies. If a configuration file is specified and the container does
not exists, the container is created with the configuration file and destroyed
when it dies.