Chris Glass [Thu, 9 Jan 2014 16:40:12 +0000 (16:40 +0000)]
Make ubuntu templates squid-deb-proxy-client aware
This makes the ubuntu and ubuntu-cloud templates automatically aware of apt
proxy settings when the LXC host has "squid-deb-proxy-client" installed. This
makes installations *much* faster when a suitable squid-deb-proxy is
found on the network (or installed on the host).
Signed-off-by: Chris Glass <tribaal@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 20:02:42 +0000 (15:02 -0500)]
download: Improve cache handling
This adds a new --force-cache parameter which will force use of the
cache even for expired images.
An expired image is now only flushed from the cache once a new one is
successfuly downloaded (to avoid destroying the local cache when the
host doesn't have internet connectivity).
The ID of the build in cache is also tracked so that we don't
re-download something we already have (should only happen if we don't
have a new build published by the time the previous one expires).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stéphane Graber [Tue, 14 Jan 2014 19:12:33 +0000 (14:12 -0500)]
download: Don't use an hardcoded exclude list
Instead of hardcoding --exclude=./dev/*, use a new metadata file
"excludes" which lists all the paths or patterns to exclude during
extraction (one per line).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Mon, 13 Jan 2014 21:26:49 +0000 (15:26 -0600)]
cgroup: move all some functions into cgroup.h
Some functions which wanted to know about cgroup paths were located
in other files. Move them into cgroup.c, so that all knowledge of
the cgroup backend can be colocated.
Serge Hallyn [Mon, 13 Jan 2014 16:02:29 +0000 (10:02 -0600)]
This change introduce mac address templating.
By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each
"x" will be replaced by a random value. If less significant bit of
first byte is "templated", it will be set to 0.
This change introduce also a common randinit() function that could be
used to initialize random generator.
Serge Hallyn [Mon, 13 Jan 2014 02:45:00 +0000 (20:45 -0600)]
introduce lxc-unpriv test
It simply creates a test user and tries to create and start
a container as that user. Tries to lxc-attach to that
container to test network connectivity.
Dwight Engen [Thu, 9 Jan 2014 20:36:13 +0000 (15:36 -0500)]
ensure all config items are duplicated on clone/write_config
Since previously I had found a config item that wasn't being propagated
by lxc-clone, I went through all the config items and made sure that:
a) Each item is documented in lxc.conf
b) Each item is written out by write_config
The only one that isn't is lxc.include, which by its nature only pulls
in other config item types.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 06:14:26 +0000 (00:14 -0600)]
cgroup: recursively delete cgroups when asked
Currently when a container is shut down, lxc walks the set of all
cgroup paths it created, in reverse order, and tries to remove them.
This doesn't suffice if the container has also created new cgroups.
It'd be impolite to recursively remove all the cgroup paths we created,
since this can include '/lxc' and thereunder all other containers
started since.
This patch changes container shutdown to only delete the container's own
path, but do so recursively. Note that if we fail during startup,
the container won't have created any cgroup paths so it the old
way works fine.
Stéphane Graber [Fri, 10 Jan 2014 22:28:07 +0000 (17:28 -0500)]
download: Initial template
This adds a new template called "download". It's a fairly simple
template with a minimal set of dependency which will grab any pre-built
image available on https://images.linuxcontainers.org
Note that the serverside is still work in progress (missing SSL support).
Access is done over https by default with a warning being emitted if
fallback to http was required (may be needed for testing, when behind
proxy and with private servers). All index files and tarballs are
gpg-signed with the default pubkeyid contained in the template itself.
The main benefit of this template is to be entirely
distribution-agnostic, any template that can be integrated with the
server build infrastructure will then work on any LXC machine when using
the download template. This template is also compatible with user
namespaces and will hopefully help widden the number of distros that may
work in unprivileged LXC.
This commit also bundles a small change to the template configs to have
the ubuntu template (used by the download template) to work with
unprivileged LXC.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Sat, 11 Jan 2014 03:48:30 +0000 (21:48 -0600)]
Fix bug in preserve_ns
If /proc/self/ns does not exist, then preserve_ns was failing to
initialize the saved_ns[i] to -1. This caused attach_ns() to try
and attach, and of course fail.
Initialize the saved ns values before returning an error.
The return values of preserve_ns and attach_ns were also being
ignored. Honor them.
Stéphane Graber [Thu, 9 Jan 2014 22:31:52 +0000 (17:31 -0500)]
Re-organize API for global lxc.conf config
Instead of having one function for each possible key in lxc.conf which
doesn't really scale and requires an API update for every new key,
switch to a generic lxc_get_global_config_item() function which takes a
key name as argument.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Stephen Ayotte [Thu, 2 Jan 2014 19:30:26 +0000 (14:30 -0500)]
Support large bdevs on 32-bit; MB units by default.
Change all instances of "unsigned long" where referring to a bdev size
to uint64_t; this fixes some overflows on 32-bit machines, where
"unsigned long" is uint32_t. Support all unit-sizes supported by LVM
except 's' and 'e' [bkmgt]. Print a warning and use default bdev-size if
invalid unit-size specified.
Signed-off-by: Stephen Ayotte <stephen.ayotte@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
KATOH Yasufumi [Mon, 6 Jan 2014 09:05:39 +0000 (18:05 +0900)]
doc: Update man pages to the latest information
* lxc-attach(1): Update to the status of kernel 3.8 or higher
* lxc-create(1), lxc-destroy(1): Now lxc-ls don't have "-l" option, so remove
* lxc(7): update description of lxc-ls and lxc-info to current version
* see-also: fix lxc(1) to lxc(7)
S.Çağlar Onur [Sat, 4 Jan 2014 05:00:04 +0000 (00:00 -0500)]
check pthread_atfork and thread-local storage
Add pthread_atfork check to configure.ac and uses it when necessary,
Introduces tls.m4 macro for checking thread-local storage support, Puts
values array into thread-local storage
(lxc_global_config_value@src/lxc/utils.c), Removes
static_lock/static_unlock from LXC code.
Lastly, it introduces a warning for bionic users about multithreaded
usage of LXC.
Dwight Engen [Tue, 31 Dec 2013 19:21:55 +0000 (14:21 -0500)]
add lxc-autostart support for sysv init systems
This change updates the way init scripts get installed so that more
than one init system can be supported. Instead of installing the
systemd service file from the spec file, it should be installed at
make install time, so that someone compiling from source also gets
the unit file installed.
Update the plamo template to use a lock file not named just
/var/lock/subsys/lxc since the presence of that file is used by
sysv init rc file to know if it should run the K01lxc script. This
also makes it consistent with the other templates which use
/var/lock/subsys/lxc-$template-name.
Serge Hallyn [Wed, 1 Jan 2014 19:43:35 +0000 (13:43 -0600)]
snapshot: enforce keeping same backing store type (v2)
Stéphane noticed that lxc-snapshot of a dir-backed container
created an overlayfs container. The expectation is that the
user can continue to modify the original container and later make
a new snapshot, but this doesn't work with the existing behavior -
the overlayfs clone will end up with the modified contents.
So add a 'LXC_CLONE_KEEPBDEVTYPE' flag, which c->snapshot()
passes to c->clone().
Also add a LXC_CLONE_MAYBE_SNAPSHOT. If this is set and a
backing store does not support snapshotting, then proceed with
a copy clone.
Dwight Engen [Tue, 31 Dec 2013 19:21:49 +0000 (14:21 -0500)]
change lxc-autostart shutdown to behave like lxc-stop
It is desirable to have a mode where a soft shutdown is requested,
but then do a hard shutdown if after some time period the container
has not shut down. This the default behaviour of lxc-stop, but is
not currently possible with lxc-autostart. This change makes this
the default behaviour when shutdown is specified to lxc-autostart.
This will be very useful for init scripts.
An indefinte wait for soft shutdown (though I'm not sure how that
would be useful) is still possible by passing a timeout of 0.
Change default timeout value to 60 seconds to match lxc-stop
Additional logic for dealing with container shutdown / reboot
Additional logic for dealing with container shutdown / reboot
Fix a problem with CentOS containers and legacy Fedora (<16) containers
not shutting down or rebooting properly. Copy /etc/init.d/halt to
/etc/init.d/lxc-halt, deleting everything from the "hwclock save" and
all after and append a force halt or reboot at the end of the new
script, to prevent reexecing init. Link that script in as
S00lxc-halt in rc0.d and S00lxc-reboot in rc6.d to intercept the
shutdown process before it gets to S01halt / S01reboot causing the hang.
Fixed some typos in the CentOS template that were introduced in the
previous patch for hwaddr settings and missed in regression testing.
Cleaned up some instruction typos and tabs from previous patch.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Andrey Mazo [Tue, 24 Dec 2013 17:08:13 +0000 (21:08 +0400)]
Mark functions as static and arguments/arrays as const where possible
Mark most of functions that are used within only one file as static.
After 95ee490bbdb97ab2b4f1dfa63a0a26e0dd1c2f17 it's easy to prove they
are not in public API.
Several arrays and structs are also marked static.
This prevents them from being exported from liblxc.so
Serge Hallyn [Thu, 2 Jan 2014 15:40:16 +0000 (09:40 -0600)]
Revert "Use pthread_atfork() to unlock mutexes after fork()"
This reverts commit 84e9e197933e601b66480da578b92630ebedfc72, because
it breaks bionic builds. The patch is desirable so hopefully we can
come up with a solution or alternate patch soon.
KATOH Yasufumi [Fri, 27 Dec 2013 16:35:22 +0000 (01:35 +0900)]
doc: Improve Japanese man pages
* Improve Japanese translation
* Fix mis-translation
* Insert linefeed between paragraph, because some paragraph is too
long, so sometimes git send-email could not use.
Fix version checking and deal with pam_loginuid in CentOS template.
This deals with a reported issue when running and building containers
on a CentOS host system.
Fixed various typos in version checking when running on a CentOS system.
Added logic for differences between point releases (6.5) and rolling (6).
Added version detection logic when running on RHEL systems as well.
Fixed cpe detection string (CentOS is not adhering to their own registration).
Added logic to disable the pam_loginuid.so binary in containers.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Andrey Mazo [Tue, 24 Dec 2013 17:08:14 +0000 (21:08 +0400)]
Remove unused functions
After 95ee490bbdb97ab2b4f1dfa63a0a26e0dd1c2f17 they are not in public
API and are not used throughout the lxc codebase.
This has a bonus of removing workaround for bionic.
Signed-off-by: Andrey Mazo <mazo@telum.ru> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
S.Çağlar Onur [Tue, 24 Dec 2013 19:04:10 +0000 (14:04 -0500)]
add travis-ci support to LXC github repo (v2)
Travis is a free hosted CI platform for the open source community. It integrates
well with github and enables continous builds/tests for both repository itself
and all the pull requests so that one can quickly see the result of the possible
merge.
This yml file is one of the few required steps to enable travis-ci support for
LXC github repo. One of you guys still need to sign in travis-ci through GitHub OAuth
and enable travis support from its profile page https://travis-ci.org/profile
As an example https://travis-ci.org/caglar10ur/lxc-upstream/builds/15872074 can be seen
changes since v1;
- All external dependencies are now innstalled via before_install section
- Dropped all configure flags as Stéphane suggested
Andrey Mazo [Tue, 24 Dec 2013 10:44:53 +0000 (14:44 +0400)]
Remove process_lock() except where actually needed
Functions like open(), close(), socket(), socketpair(), pipe() and mkdir()
are generally thin wrappers around kernel-provided system calls.
It's the kernel not libc, who ensures race-free handling of file
descriptors.
Thus locking around these functions is unnecessary even on somewhat buggy libcs.
fopen(), fclose() and other stdio functions may maintain internal lists
of open file handles and thus can be prone to race-conditions.
Hopefully, most libcs utilize proper locking or other ways to ensure
thread-safety of these functions.
Bionic used to have non-thread-safe stdio [2] but that must be fixed
since android 4.3 [3, 4].
S.Çağlar Onur showed [1] that openpty() (because of nsswitch) is not thread-safe though.
So we workaround it by protecting openpty() calls with process_lock()/process_unlock().
Because of the need to guard openpty() with process_lock()/process_unlock(),
process_unlock() is still used after fork().
KATOH Yasufumi [Tue, 24 Dec 2013 06:56:23 +0000 (15:56 +0900)]
doc: Fix the description of -n option in lxc-info(1)
Commit 5444216 revised -n option from allowing to specify multiple
containers using regex to specifying only one container. But
lxc-info(1) remains original. so
- mark -n required
- remove the description of -n that is included in common options
Serge Hallyn [Mon, 23 Dec 2013 16:23:38 +0000 (10:23 -0600)]
lxc-stop: don't set timeout if user requested -s
A timeout means wait this long before killing the container.
-s means don't kill the container. timeout defaults to 60
seconds. So if a shutdown is requested, then set timeout to
0.
Stéphane Graber [Fri, 20 Dec 2013 13:28:32 +0000 (14:28 +0100)]
Set default paths for unprivileged use (v2)
When running unprivileged (euid != 0), LXC will now use the following paths:
- Default lxc path: ~/.local/share/lxc/
- Default config path: ~/.config/lxc/lxc.conf
Those two paths are based on standard XDG paths (though ignoring all the
possible override paths for now at least) and so probably don't need to
be configurable at build time.
Serge Hallyn [Thu, 19 Dec 2013 21:33:22 +0000 (15:33 -0600)]
conf.c: fix unprivileged network case
If unprivileged users are using a veth nic, then ifindex is still 0
at lxc_assign_network() (because lxc_create_network() was skipped).
So check for that case before we use lxc->ifindex to decide if we
have an empty network namespace.
We probably should change the !netdev->ifindex check to a
netdev->type == LXC_NET_EMPTY check, but I've been making enough
mistakes today not to risk that.
Serge Hallyn [Thu, 19 Dec 2013 21:18:24 +0000 (15:18 -0600)]
cgroup: don't set clone_children when it is already 1
In particular, if it's already 1, and we can't change it, we currently
fail out. That's silly.
I was going to just always continue, but if clone_children is not 1,
then the container *will* fail to start later on, so I'd rather stop
earlier on so the original cause doesn't get lost in the noise.
Stéphane Graber [Mon, 16 Dec 2013 20:32:47 +0000 (15:32 -0500)]
Add lxc-autostart
This introduces a new lxc-autostart binary (and associated manpage)
which will let you start/shutdown/kill/restart any container that's
marked as lxc.start.auto=1. It respects the lxc.start.delay value,
sorts by lxc.start.order and filters by lxc.group.
By default it'll affect all containers that DO NOT have lxc.group
set. If -g is specified, ONLY containers in those group will be
affected. To have a command applied to all containers, the -a
argument can be used.
A -L flag is also offered for distributions wishing to start the
containers themselves while still using LXC's calculated order and
wait delays. Instead of performing the action, it'll print the container
name and (if relevant for the action) the wait time.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 19 Dec 2013 19:59:30 +0000 (13:59 -0600)]
fix lxc-usernsexec regression
In what should have been a straightforward fix for a bug found by
priority, I sent 1 instead of '1' from parent to child, while the
child checked for '1'. Fix.
S.Çağlar Onur [Thu, 19 Dec 2013 05:08:51 +0000 (00:08 -0500)]
remove static_lock()/static_unlock() and start to use thread local storage (v2)
While testing https://github.com/lxc/lxc/pull/106, I found that concurrent starts
are hanging time to time. I then reproduced the same problem in master and got following;
[caglar@oOo:~] sudo gdb -p 16221
(gdb) bt
#0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
#1 0x00007f495526515c in _L_lock_982 () from /lib/x86_64-linux-gnu/libpthread.so.0
#2 0x00007f4955264fab in __GI___pthread_mutex_lock (mutex=0x7f49556d4600 <static_mutex>) at pthread_mutex_lock.c:64
#3 0x00007f49554b27a6 in lock_mutex (l=l@entry=0x7f49556d4600 <static_mutex>) at lxclock.c:78
#4 0x00007f49554b2dac in static_lock () at lxclock.c:330
#5 0x00007f4955498f71 in lxc_global_config_value (option_name=option_name@entry=0x7f49554c02cf "cgroup.use") at utils.c:273
#6 0x00007f495549926c in default_cgroup_use () at utils.c:366
#7 0x00007f49554953bd in lxc_cgroup_load_meta () at cgroup.c:94
#8 0x00007f495548debc in lxc_spawn (handler=handler@entry=0x7f49200af300) at start.c:783
#9 0x00007f495548e7a7 in __lxc_start (name=name@entry=0x7f49200b48a0 "lxc-test-concurrent-4", conf=conf@entry=0x7f49200b2030, ops=ops@entry=0x7f49556d3900 <start_ops>, data=data@entry=0x7f495487db90,
lxcpath=lxcpath@entry=0x7f49200b2010 "/var/lib/lxc") at start.c:951
#10 0x00007f495548eb9c in lxc_start (name=0x7f49200b48a0 "lxc-test-concurrent-4", argv=argv@entry=0x7f495487dbe0, conf=conf@entry=0x7f49200b2030, lxcpath=0x7f49200b2010 "/var/lib/lxc") at start.c:1048
#11 0x00007f49554b68f1 in lxcapi_start (c=0x7f49200b1dd0, useinit=<optimized out>, argv=0x7f495487dbe0) at lxccontainer.c:648
#12 0x0000000000401317 in do_function (arguments=0x1aa80b0) at concurrent.c:94
#13 0x0000000000401499 in concurrent (arguments=<optimized out>) at concurrent.c:130
#14 0x00007f4955262f6e in start_thread (arg=0x7f495487e700) at pthread_create.c:311
#15 0x00007f4954f8d9cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
It looks like both parent and child end up with locked mutex thus deadlocks.
I ended up placing values in the thread local storage pool, instead of doing "unlock the lock in the child" dance
Signed-off-by: S.Çağlar Onur <caglar@10ur.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
projects / mirror_lxc.git / log