Stéphane Graber [Thu, 27 Feb 2014 20:46:23 +0000 (15:46 -0500)]
lxc-download: Ignore return code from subshell
The previous change fixed parsing of multiple uid/gid ranges by using a
while loop, however a failure in that loop will cause the script to exit
(due to -e), so we need to ignore the return value of the commands
inside that loop.
Dwight Engen [Wed, 26 Feb 2014 18:54:58 +0000 (13:54 -0500)]
fix attach when cgroups mounted after container start
When booting an OL7 container on OL6, systemd in the OL7 container mounted
some extra cgroup controllers, which are then present in /proc/self/cgroups
of every task on the host. This is the list used by attach to determine
which cgroups to move the attached task into, but when it asks the container
over the command interface for the path to the subsystem this will fail
since the controller didn't exist when the container was first started.
Instead of failing, this change allows the attach to continue, warning that
those cgroups that could not be found won't be attached to.
The problem can be more simply reproduced by starting a busybox container,
mounting a cgroup that was not previously mounted, and then attempting
to attach to to the busybox container.
The problem will likely not manifest with cgmanager since it only requests
the path for the first controller, which is likely to always be mounted.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Wed, 26 Feb 2014 19:15:27 +0000 (14:15 -0500)]
lxc-download: Detect unpriv created by real root
This adds yet another case in the in_userns function detecting the case
where an unprivileged container is created by the real uid 0, in which
case we want to share the system wide cache but still use the
unprivileged templates and unpack method.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Wed, 26 Feb 2014 00:15:28 +0000 (19:15 -0500)]
upstart: Don't forward requests for LXC_DOMAIN
Without this change, a request to *.LXC_DOMAIN that doesn't get a local
result from dnsmasq will be forwarded to its upstream server with the
potential of a loop.
Thanks to Ed for the patch on Launchpad (LP: #1246094).
Reported-by: Ed Swierk Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Tue, 25 Feb 2014 20:50:44 +0000 (15:50 -0500)]
python3: Add support for wlan device add
With this change it's now possible to add wlan devices to the container.
This will track down the right phy device, move it to the right
namespace (we don't care about its name), then if the user asked for a
new device name for the actual interface, we attach to the container and
rename the interface in there using attach.
I have tested this to work with both Intel and Atheros NICs.
This patch is based on the one provided to lxc-devel by Gregor Beck and
has then been updated to do the device renaming as well as minor code
style changes. Thanks!
Reported-by: Gregor Beck <gbeck@sernet.de> Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Tue, 25 Feb 2014 05:08:26 +0000 (23:08 -0600)]
always check whether rootfs is shared
(this expands on Dwight's recent patch, commit c597baa8f9)
After unshare(CLONE_NEWNS) and before doing any mounting, always
check whether rootfs is shared. Otherwise template runs or clone
scripts can bleed mount activity to the host.
Serge Hallyn [Fri, 21 Feb 2014 20:36:06 +0000 (14:36 -0600)]
add dir support
It used to be supported with the lxc-create.in script, and
the manpage says it's supported... So let's just support it.
Now
sudo lxc-create -t download --dir /opt/ab -n ab
works, creating the container rootfs under /opt/ab. This
generally isn't something I'd recommend, however telling users
to use a different lxc-path isn't as friendly as I'd like,
because each lxcpath requires separate lxc-ls and lxc-autostart
runs.
Dwight Engen [Wed, 19 Feb 2014 21:44:19 +0000 (16:44 -0500)]
fix mounts not propagating back to root mntns during create and clone
Systems based on systemd mount the root shared by default. We don't want
mounts done during creation by templates nor those done internally by
bdev during rsync based clones to propagate to the root mntns.
The create case already had the right check, but the mount call was
missing "/", so it was failing.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 18 Feb 2014 22:33:51 +0000 (17:33 -0500)]
Set a reasonable fallback for get_rundir
If get_rundir can't find XDG_RUNTIME_DIR in the environment, it'll
attempt to build a path using ~/.cache/lxc/run/. Should that fail
because of missing $HOME in the environment, it'll then return NULL an
all callers will fail in that case.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Tue, 18 Feb 2014 21:12:52 +0000 (15:12 -0600)]
Fix unprivileged networking
If we are unprivileged and have asked for a veth device, then create
a pipe over which to pass the veth names.
Network-related todos:
1. set mtu on the container side of veth device
2. set mtu in lxc-user-nic. Note that this probably requires an
update to the /etc/lxc/lxc-usernet file :(
Serge Hallyn [Tue, 18 Feb 2014 21:01:38 +0000 (15:01 -0600)]
cache whether 'optional' was in mntopts
after commit 4e4ca16158f91ac1271495638a4e62881169474e we are
checking for optional in mntopts after we forcibly remove it.
Cache whether we had it before removing it.
Serge Hallyn [Mon, 17 Feb 2014 18:47:35 +0000 (12:47 -0600)]
attach: try to use the container's seccomp policy
We can't get the actual policy (in the case where the policy file
has changed) from the container, but at least we can use the
seccomp policy file listed in the container config file.
(If anyone wants to further improve this, it may be better to get
the seccomp policy over the cmd api; not sure that's what we want,
and this seems simpler to hook into the existing code, so I went
this way for now)
Stéphane Graber [Mon, 17 Feb 2014 15:51:53 +0000 (10:51 -0500)]
download: Support nested containers in unpriv
This adds detection for the case where we are root in an unprivileged
container and then run LXC from there. In this case, we want to download
to the system location, ignore the missing uid/gid ranges and run
templates that are userns-ready.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
S.Çağlar Onur [Sun, 16 Feb 2014 21:20:48 +0000 (16:20 -0500)]
fill missing netdev fields for unprivileged containers
lxc-user-nic now returns the names of the interfaces and
unpriv_assign_nic function parses that information to fill
missing netdev->veth_attr.pair and netdev->name.
With this patch get_running_config_item started to provide
correct information;
Dwight Engen [Thu, 13 Feb 2014 21:13:03 +0000 (16:13 -0500)]
create fd, stdin, stdout, stderr symlinks in /dev
The kernel's Documentation/devices.txt says that these symlinks should
exist in /dev (they are listed in the "Compulsory" section). I'm not
currently adding nfsd and X0R since they are required for iBCS, but
they can be easily added to the array later if need be.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Thu, 13 Feb 2014 17:42:21 +0000 (12:42 -0500)]
lxc-start-ephemeral: Use attach
With this change, systems that support it will use attach to run any
provided command.
This doesn't change the default behaviour of attaching to tty1, but it
does make it much easier to script or even get a quick shell with:
lxc-start-ephemeral -o p1 -n p2 -- /bin/bash
I'm doing the setgid,initgroups,setuid,setenv magic in python rather
than using the attach_wait parameters as I need access to the pwd module
in the target namespace to grab the required information.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Thu, 13 Feb 2014 16:17:48 +0000 (11:17 -0500)]
coverity: Do chdir following chroot
We used to do chdir(path), chroot(path). That's correct but not properly
handled coverity, so do chroot(path), chdir("/") instead as that's the
recommended way.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 13 Feb 2014 06:52:52 +0000 (00:52 -0600)]
overlayfs_clonepaths: if unpriv then rsync in a userns
This allows lxc-snapshot and lxc-clone -s from an overlayfs container
to work unprivileged. (lxc-clone -s from a directory backed container
already did work)
Stéphane Graber [Wed, 12 Feb 2014 22:46:06 +0000 (17:46 -0500)]
Fix some configure.ac issues
- Run on distro without lsb_release
- Don't try and interpret with_runtime_path as a command
- Don't print stuff on screen while in the middle of a check
Stéphane Graber [Wed, 12 Feb 2014 22:30:12 +0000 (17:30 -0500)]
travis: Build using the daily PPA
Now that we depend on seccomp2, the backport currently in precise is too
old to allow for a succesful build, so instead use ppa:ubuntu-lxc/daily
which contains recent versions of all needed build-dependencies.