For veth and macvlan networks, this can look up the host address on the
bridge (link) interface and add a default route on the guest to that
address. This facilitates a typical setup where guests are bridged
together.
syntax:
lxc.ipv4.gateway = auto
lxc.ipv6.gateway = auto
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 11 Aug 2011 15:54:57 +0000 (17:54 +0200)]
lxc-ps : fix the container name search
We don't have to check for the cgroup namespace name because the
pid we are looking for is already in the list of the container owned by
lxc and retrieved from the abstract socket command name.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
Silence lxc-unshare warning when removing cgroup
If ns cgroup is mounted, then when lxc-unshare runs, the kernel automatically
creates a new cgroup for the task. So lxc-unshare tries to delete it. But
if ns cgroup is not mounted, that cgroup does not get created, and now
lxc-unshare spits an error.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Forwarded: no
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
make lxc-netstat work when /etc/mtab is not /proc/mounts
like lxc-ps and lxc-ls, lxc-netstat breaks if there is not an 'lxc' cgroup
mount and /etc/mtab is not a link to /proc/mounts.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Forwarded: no
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
fix lxc-ls with mtab != /proc/mounts
The cgroup mounts created by cgroup-bin do not show up in /etc/mtab.
lxc-ls, as lxc-ps before it, assumes that /etc/mtab is symlinked to
/proc/mounts.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Forwarded: no
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Sun, 7 Aug 2011 10:25:07 +0000 (12:25 +0200)]
Use container's /run/utmp if it exists
If /var/run is a symlink to /run in the container, then opening
/proc/<pid>/root/var/run/utmp will end up opening the host's utmp.
Therefore the hack detecting shutdown through utmp fails.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When '-b user' is specified to lxc-ubuntu container creation template, do
not automatically add all the groups of which user is a member on the host,
to user's groups in the container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ubuntu: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
Note - I messed up. This was applied upstream, but I dropped it in
subsequent conversion to lxc-ubuntu template. It therefore needs to
be reapplied.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
cgroups: support cgroups mounted in multiple places (v3)
(sorry for the extra traffic.)
With this patch, lxc works for me both with all cgroups mounted with
ns cgroup on /cgroup, and with libcgroup mounting all cgroups
separately.
To do this, instead of looking for one cgroup called 'lxc' or
otherwise taking the first cgroup we find, we actually create a
container in every mounted cgroup fs. Right now it's done under the
root of each fs. We may want to put that under lxc, or, better yet,
make that configurable.
Changelog:
Michael H. Warfield: Handle the case where subsystem doesn't have '.'.
Daniel Lezcano: clean up incorrect reentrant use of mntent helpers
v3: use the rest of Daniel's cleanups
TODO: add a configurable directory name, 'lxc' by default, under which
all lxc cgroups are created (i.e. /sys/fs/cgroup/lxc)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Tested-by: Michael H. Warfield <mhw@WittsEnd.com>
The good news is, starting with next openSUSE release (and next SLES 11
Service Pack), patching /etc/init.d/boot won't be needed anymore for
LXC, we integrated detection of LXC (through container variable set to
lxc) in /etc/init.d/boot and /dev is no longer mounted automatically by
initscript.
Signed-off-by: Frederic Crozat <fcrozat@suse.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge Hallyn [Sat, 25 Jun 2011 13:17:47 +0000 (15:17 +0200)]
consolidate ubuntu templates
Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu'
template.
Add support for specifying architecture.
Add support for '--trim|-x' option, which removes services like the lucid
template used to. This creates smaller, faster-booting containers, but they
will not be safe with certain upgrades, like mountall or udev. When -x is
not specified for lucid or maverick container, then install lxcguest from
the ubuntu-virt ppa, since it does not exist in the official archives, and
the container is not safe to boot without lxcguest.
Add support for '--bindhome <user>' option, which will cause /home/<user>
to be bind-mounted into the container, and create the user with his
original password, shell, and group memberships in the container.
changelog:
june 23:
lxc-ubuntu template: set lxc.arch in config
install lxcguest when NOT trimming the container
lxc-ubuntu: always install lxcguest in postprocess
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Thu, 23 Jun 2011 22:42:24 +0000 (00:42 +0200)]
Add lxc-clone script
Create an lxc-clone script to clone containers. It should probably
be factored into helpers and then enhanced, in particular to convert
between LVM and non-LVM containers, create non-snapshot LVM clones,
support loopback devices, and, when stable enough, to use
overlayfs, btrfs, etc.
But this is a start.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 2 Jun 2011 07:50:38 +0000 (09:50 +0200)]
set close-on-exec flag on command socket
When we accept a connection, we have to set the close-on-exec flag,
otherwise that won't be possible to reboot a container through a
lxc-console command.
Reported-by: Katoh Yasufumi <karma@jazz.email.ne.jp> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Cedric Le Goater [Fri, 20 May 2011 09:37:16 +0000 (11:37 +0200)]
lxc: don't install setns.h
'setns.h' is not an lxc interface.
Also, a side effect of this declaration of 'setns.h' in the lxc header
files is to be distributed in the lxc tarball. This breaks the
lxc-attach command because the file is not automatically generated at
compile time.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 13 May 2011 20:29:34 +0000 (22:29 +0200)]
ignore non-lxc configuration line
We ignore the line of in the configuration file not beginning by "lxc."
So we can mix the configuration file with another information used for
another component through the lxc library.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 6 May 2011 23:33:33 +0000 (01:33 +0200)]
templates: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Fri, 6 May 2011 23:33:33 +0000 (01:33 +0200)]
templates: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
I believe the lenny, fedora, and debian templates also will need an
update.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Greg Kurz [Wed, 6 Apr 2011 11:41:44 +0000 (13:41 +0200)]
lxc: default log appender on stderr
The default appender for logs is currently the file one: this
make macros from log.h unusable as long as lxc_log_init() hasn't
been called. This prevents errors from even being printed on
stderr in lxc_caps_init() for example.
Let's make stderr the default appender.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Michel Normand [Tue, 15 Mar 2011 19:19:07 +0000 (20:19 +0100)]
lxc-* tools are vulnerable for arguments with spaces
this is related to the bug
http://sourceforge.net/tracker/?func=detail&aid=3113612&group_id=163076&atid=826303
that suggested to modify bash lxc script to properly use "$@" in place of "$*"
Signed-off-by: Michel Normand <michel.mno@free.fr> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc_cgroup_path_get currently cache the cgroup mount point plus the
container name at the same time, making every call of the function
returning the same value.
It mean that actually every call to lxc_cgroup_get with a different
container name will in fact use the same container name as used for
the primary call.
I join a patch to fix that, still doing some caching, but only caching
the cgroup moint point this time. This patch actually work for me, as
I am using the liblxc for retrieving statistics about all running
containers, using lxc_cgroup_get to retrieve every interesting values.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Jan Niehusmann [Sat, 26 Feb 2011 09:18:19 +0000 (10:18 +0100)]
Update file capa detection for kernels >=2.6.37
The comment containing the version number at the beginning of the kernel
config file changed its format with 2.6.37. This trivial patch makes the
grep less specific, so it triggers for both formats.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 27 Jan 2011 23:24:54 +0000 (00:24 +0100)]
Fix paths in the lxc-busybox template
Author of the patch : Jonathan Liu <???> posted as a bug fix on the lxc
sourceforge website.
OS: Arch Linux 32-bit
/etc/init.d/rcS do not use full path to syslogd, mount and udhcpc executables.
As busybox requires /proc mounted if CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
to run these commands without full path, the full path should be used in the
startup script as /proc is mounted later in the script.
It also fails to start the machine if /lib64 does not exist on the host system
as there is a mount entry for /lib64 in the config.
The attached patch changes commands in /etc/init.d/rcS to use full path and
adds a check for /lib64 on host before adding lib64 mount entries to config.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
# /dev/console - getty
#
# This service maintains a getty on /dev/console from the point the
# system is started until it is shut down again.
# It only runs in lxc containers.
start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]
Daniel Lezcano [Sun, 23 Jan 2011 20:47:12 +0000 (21:47 +0100)]
suppress udev log output
We use udev within these containers and we prevent the /dev files
to be created with the cgroup whitelist. So when the udevd receives
the event from the kernel, it will fail to create some nodes in /dev
and will spit error on the console.
We set the log level to zero, so udev will silently fail.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge Hallyn [Sat, 22 Jan 2011 20:59:40 +0000 (21:59 +0100)]
Update ubuntu templates
Rename 'ubuntu' template to 'lucid'
Add new maverick and natty templates, which do much less tweaking
of the environment. These should only be used on a kernel which
supports sysfs tagging for /sys/class/net, as udev will be running
in the container.
The natty template needed to slightly change the installed packages
for dhclient to be correclty installed.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Reto Gantenbein [Mon, 17 Jan 2011 23:45:17 +0000 (00:45 +0100)]
Adds correct file capa detection for >2.6.32 The kernel compile parameter was removed with kernel release 2.6.33 Since then file capabilities are enabled by default kernel commit: b3a222e52e4d4be77cc4520a57af1a4a0d8222d1
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Mon, 17 Jan 2011 09:18:50 +0000 (10:18 +0100)]
set veth host's side always up
We should always have the veth host's side up, otherwise if we omit
the up flag in the configurationn, letting the container to configure
its interface, the network will be never enabled as the host's side
is not up.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Joerg Gollnick [Sun, 16 Jan 2011 18:40:46 +0000 (19:40 +0100)]
Fix mntflags initialization
Dear all,
while setting up a container on x86_64 (archlinux host/guest) I had trouble
with mounting dev/pts and others from container.fstab and a ssh login does not
work (only ssh container bash -i gives you a shell)
The cause is that conf.c does not initialize mntflags.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 13 Jan 2011 15:25:14 +0000 (16:25 +0100)]
substitute the absolute rootfs mount path
Change the mount point in the rootfs because we mount the rootfs
in ROOTFSDIR for the pivot. We have to substitute the real mount
path to the new path located in ROOTFSDIR.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Sun, 9 Jan 2011 22:53:19 +0000 (23:53 +0100)]
fix the ns_cgroup vs clone_children
The following patch fixes the bug where the clone_children compatibility
flag is available with the ns_cgroup subsystem. The 2.6.37 kernel version
should be the only one which is concerned by this modification, please
refer to Documentation/feature-removal-schedule.txt and look for ns_cgroup.
The problem is coming from we check for clone_children and we set it
automatically and then we try to create a new cgroup. As the
ns_cgroup is present the cgroup already exists and we are not allowed
to attach our pid to a new cgroup. The next error will be when we try
to create a new container because we enabled the clone_children flag
and the ns_cgroup is present, it is not allowed by the kernel.
The patch fix this by checking the mount options.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>