pve-container.git
3 days agobump version to 3.0-4 master
Thomas Lamprecht [Fri, 19 Jul 2019 14:05:10 +0000 (16:05 +0200)]
bump version to 3.0-4

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 days agodebian: bump compat to 12 and don't restart container.slice
Thomas Lamprecht [Fri, 19 Jul 2019 13:42:13 +0000 (15:42 +0200)]
debian: bump compat to 12 and don't restart container.slice

since compat 10 the restart is default, as I want to use
'dh_installsystemd' (vs 'dh_systemd_start') I need at least compat
level 11, so go for the now recommended compat level 12.

diffoscope tells me that the main change us the wanted:

./postinst
> @@ -1,10 +1,15 @@
>  #!/bin/sh
>  set -e
> -# Automatically added by dh_systemd_start/12.1.1
> +# Automatically added by dh_installsystemd/12.1.1
>  if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
>   if [ -d /run/systemd/system ]; then
>           systemctl --system daemon-reload >/dev/null || true
> -         if [ -n "$2" ]; then
> -                 _dh_action=restart
> -         else
> -                 _dh_action=start
> -         fi
> -         deb-systemd-invoke $_dh_action 'system-pve\x2dcontainer.slice' >/dev/null || true
> +         deb-systemd-invoke start 'system-pve\x2dcontainer.slice' >/dev/null || true
>   fi
>  fi
>  # End automatically added section

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 days agosetup getty: ensure the getty.target is not masked
Thomas Lamprecht [Wed, 17 Jul 2019 10:07:40 +0000 (12:07 +0200)]
setup getty: ensure the getty.target is not masked

some distro templates have this masked by default, it makes sense to
always ensure that it can work, a CT admin can still prevent this by
using the .pve-ignore.$file mechanism.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 days agosetup getty: drop now obsolete setup_systemd_console
Thomas Lamprecht [Thu, 18 Jul 2019 15:17:17 +0000 (17:17 +0200)]
setup getty: drop now obsolete setup_systemd_console

The setup_container_getty_service can now handle also old
getty@.service if the newer container-getty@.service is not
available. So drop, and convert the two remaining users to calling
the now compatible setup_container_getty_service

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 days agosetup getty: generalize setup_container_getty_service
Thomas Lamprecht [Thu, 18 Jul 2019 15:10:30 +0000 (17:10 +0200)]
setup getty: generalize setup_container_getty_service

to allow switching the two remaining users and then finally dropping
the setup_systemd_console method

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Co-developed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 days agosetup getty: ensure the correct services are enabled
Thomas Lamprecht [Wed, 17 Jul 2019 10:02:34 +0000 (12:02 +0200)]
setup getty: ensure the correct services are enabled

I.e., some distro templates do not have anything enabled, thus also
ensure that the respective container-getty@ services are enabled.

But, as to getty on the same TTY makes for a strange experience also
ensure that the getty@ are all removed (and vice versa in the other
case)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 days agogetty setup: move hack for old systemd getty services out
Thomas Lamprecht [Thu, 18 Jul 2019 13:25:33 +0000 (15:25 +0200)]
getty setup: move hack for old systemd getty services out

This makes it easier to remove the setup_systemd_console method in
the future.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
4 days agoadd support for debian bullseye/sid
Mira Limbeck [Thu, 18 Jul 2019 13:56:12 +0000 (15:56 +0200)]
add support for debian bullseye/sid

Add support for the newest DebianTesting aka bullseye.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Tested-by: Oguz Bektas <o.bektas@proxmox.com>
5 days agoremove obsolete lxc@.service.d
Thomas Lamprecht [Wed, 17 Jul 2019 17:03:54 +0000 (19:03 +0200)]
remove obsolete lxc@.service.d

follow through with the preparations of commit
e407207213f3e23c7f274b101c6e49233b4ff0d2 which was part of the series
cleaning the whole handling up [0]

[0]: https://pve.proxmox.com/pipermail/pve-devel/2017-October/029077.html

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 days agofix #1042: inotify: increase watches, instances & queue default limits
Thomas Lamprecht [Wed, 17 Jul 2019 16:20:28 +0000 (18:20 +0200)]
fix #1042: inotify: increase watches, instances & queue default limits

Some recent distributions running as a LXC container eat the relative
low default limits up very fast. Thus increase all those
(semi-related) limits by a factor of 512. This was chosen by using
one of our bigger know CT setup (~1500 CTs per host) and the fact
that I can have only a very low count (circa 5 - 7) of running
"inotify watch hungry" CTs (e.g., ones with a recent systemd > 240).

So, as 5 * 512 is well >> 1500, we can assume with confidence to
allow most reasonable and existing setups by default.

As with the kernel commit d46eb14b735b11927d4bdc2d1854c311af19de6d
"fs: fsnotify: account fsnotify metadata to kmemcg" [0] the memory
usage from the watch and queue overhead is accounted to the users
respective memory CGroup (i.e., for LXC containers their memory
limit) we can do this without to much fear of negative implications.

[0]: https://git.kernel.org/torvalds/c/d46eb14b735b11927d4bdc2d1854c311af19de6d

Don't change the hardcoded kernel default values directly though,
ship a sysctl.d configuration file, which is a bit more transparent
about what happens and can be shipped by the component needing this
(i.e., pve-container).

Follow the considerations of `man 5 sysctl.d` for shipping:
> Packages should install their configuration files in /lib/. Files
> in /etc/ are reserved for the local administrator, who may use this
> logic to override the configuration files installed by vendor
> packages. All configuration files are sorted by their filename in
> lexicographic order, regardless of which of the directories they
> reside in. If multiple files specify the same option, the entry in
> the file with the lexicographically latest name will take
> precedence. It is recommended to prefix all filenames with a
> two-digit number and a dash, to simplify the ordering of the files.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
11 days agoconfig: whitelist lxc.seccomp.notify.proxy/cookie
Wolfgang Bumiller [Thu, 4 Jul 2019 14:42:01 +0000 (16:42 +0200)]
config: whitelist lxc.seccomp.notify.proxy/cookie

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
11 days agobump version to 3.0-3
Thomas Lamprecht [Thu, 11 Jul 2019 17:26:15 +0000 (19:26 +0200)]
bump version to 3.0-3

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 days agofix #2270: allow custom lxc options to be restored as root
Stefan Reiter [Tue, 9 Jul 2019 15:20:57 +0000 (17:20 +0200)]
fix #2270: allow custom lxc options to be restored as root

Seems to be a regression introduced with
f360d7f16b094fa258cf82d2557d06f3284435e4 (related to #2028).
$conf->{'lxc'} would always be defined, hence we never replaced it with
the restored options.

Co-developed-by: Oguz Bektas <o.bektas@proxmox.com>
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
2 weeks agofollowup: code cleanup and uninitialized value access fix
Thomas Lamprecht [Fri, 5 Jul 2019 16:48:33 +0000 (18:48 +0200)]
followup: code cleanup and uninitialized value access fix

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 weeks agofix #1451: allow one to add mount options to CT mountpoints
Oguz Bektas [Fri, 5 Jul 2019 11:27:05 +0000 (13:27 +0200)]
fix #1451: allow one to add mount options to CT mountpoints

for now allows the following non-problematic ones:
* noexec - Do not permit execution of binaries on the mounted FS
* noatime - Do not update inode access times on this filesystem
* nosuid - Do not allow suid or sgid bits to take effect
* nodev - Do not interpret character or block devices on the FS

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
3 weeks agotests: avoid ipcc usage by mocking PVE::Cluster::get_config
Wolfgang Bumiller [Fri, 28 Jun 2019 09:58:32 +0000 (11:58 +0200)]
tests: avoid ipcc usage by mocking PVE::Cluster::get_config

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
4 weeks agobump version to 3.0-2
Thomas Lamprecht [Mon, 24 Jun 2019 16:38:10 +0000 (18:38 +0200)]
bump version to 3.0-2

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 weeks agoFix #576: Fix dangling files for Move Disk
Dominic Jäger [Wed, 12 Jun 2019 10:04:57 +0000 (12:04 +0200)]
Fix #576: Fix dangling files for Move Disk

When Move Disk is called for a container rsync starts copying it to a
new destination. This initial rsync process gets killed when the Stop
button gets pressed. At this moment the destination file is not fully
copied and useless as a consequence. Our code already tries to remove
it. However, rsync has forked and those forks are still accessing the
destination file for some time. Thus, the attempt to remove it fails.

With the patch we wait for other processes to release the destination
files. As we are in a mount namespace and protected by a config lock,
those other processes should be children of rsync only. The waiting
time was less than a second when I tried it. Afterwards, the existing
remove procedure is carried out.

Co-developed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Dominic Jäger <d.jaeger@proxmox.com>
2 months agofixup: nitpick: no parenthesis on simple post if
Thomas Lamprecht [Thu, 23 May 2019 07:28:45 +0000 (09:28 +0200)]
fixup: nitpick: no parenthesis on simple post if

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoFix: check if compression_map format is undefined
Alwin Antreich [Thu, 23 May 2019 07:13:40 +0000 (09:13 +0200)]
Fix: check if compression_map format is undefined

We want to check for an supported compression type, but the check was
not correct as this only works if both sides are scalars, but an
assignment to an array is always "truthy", so actually check explicitly
if the compression type is supported before.

Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
Co-authored-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agotests: fix lxc-usernsexec invocation for uid != gid
Wolfgang Bumiller [Wed, 22 May 2019 12:25:11 +0000 (14:25 +0200)]
tests: fix lxc-usernsexec invocation for uid != gid

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2 months agobuildsys: switch upload dist over to buster
Thomas Lamprecht [Wed, 22 May 2019 11:16:39 +0000 (13:16 +0200)]
buildsys: switch upload dist over to buster

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobump version to 3.0-1
Thomas Lamprecht [Wed, 22 May 2019 10:41:52 +0000 (12:41 +0200)]
bump version to 3.0-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobump debian compat level to 10
Thomas Lamprecht [Wed, 22 May 2019 10:40:50 +0000 (12:40 +0200)]
bump debian compat level to 10

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobuildsys: write source file to correct build dir
Thomas Lamprecht [Wed, 22 May 2019 10:40:13 +0000 (12:40 +0200)]
buildsys: write source file to correct build dir

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobuildsys: use dpkg-dev makefile helpers for pkg info
Thomas Lamprecht [Wed, 22 May 2019 10:37:58 +0000 (12:37 +0200)]
buildsys: use dpkg-dev makefile helpers for pkg info

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoset debian source format to 1.0
Thomas Lamprecht [Wed, 22 May 2019 10:37:44 +0000 (12:37 +0200)]
set debian source format to 1.0

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobump version to 2.0-39
Thomas Lamprecht [Wed, 15 May 2019 14:38:53 +0000 (16:38 +0200)]
bump version to 2.0-39

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoremove Data::Dumper usages
Thomas Lamprecht [Mon, 13 May 2019 11:45:42 +0000 (11:45 +0000)]
remove Data::Dumper usages

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi config: cleanup indentation and whitespace issues
Thomas Lamprecht [Mon, 13 May 2019 11:45:29 +0000 (11:45 +0000)]
api config: cleanup indentation and whitespace issues

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agod/control: remove undefined ${shlib:depends} from arch-independent package
Thomas Lamprecht [Mon, 13 May 2019 11:41:36 +0000 (11:41 +0000)]
d/control: remove undefined ${shlib:depends} from arch-independent package

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi status: indentation, whitespace and empty newline fixes
Thomas Lamprecht [Mon, 13 May 2019 11:40:49 +0000 (11:40 +0000)]
api status: indentation, whitespace and empty newline fixes

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi status: code cleanup for HA calls
Thomas Lamprecht [Mon, 13 May 2019 11:39:52 +0000 (11:39 +0000)]
api status: code cleanup for HA  calls

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi status: use own variable for frequent hash use
Thomas Lamprecht [Fri, 10 May 2019 10:04:37 +0000 (10:04 +0000)]
api status: use own variable for frequent hash use

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi status: cleanup nested closures
Thomas Lamprecht [Fri, 10 May 2019 10:03:37 +0000 (10:03 +0000)]
api status: cleanup nested closures

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi status: indentation cleanup
Thomas Lamprecht [Fri, 10 May 2019 10:01:44 +0000 (10:01 +0000)]
api status: indentation cleanup

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agofix #2200: vm_stop: add nokill-after-timeout parameter
Thomas Lamprecht [Wed, 8 May 2019 07:07:22 +0000 (07:07 +0000)]
fix #2200: vm_stop: add nokill-after-timeout parameter

This allows to have the same semantics as qemu-server:
* immediate hard-kill
* shutdown with kill after timeout
* shutdown without kill after timeout

And thus we finally can move the vm_shutdown API call to a correct
semantic, i.e., do not immediate hard kill if forceStop is not passed
but rather see it as stop after timeout knob.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agovm_stop: remove unused exit_timeout parameter
Thomas Lamprecht [Wed, 8 May 2019 06:59:40 +0000 (06:59 +0000)]
vm_stop: remove unused exit_timeout parameter

No call-site used this parameter, and thus it was dead code,
remove it not only for cleanup sake but also to make space for a new
"nokill-after-timeout" parameter, comming in a future patch.

This code was always dead since it was introduced with the addition
of vm_stop in commit b1bad293c4f7a6024bbd363b6784b3875ca5d098
so pretty safe to remove anyway.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agofix #2027: do not disable IPV6_AUTOCONF on centos
Oguz Bektas [Thu, 9 May 2019 11:57:29 +0000 (13:57 +0200)]
fix #2027: do not disable IPV6_AUTOCONF on centos

we used to disable IPV6_AUTOCONF when the DHCP option was chosen for the
container network (was only activated with SLAAC option).

however, this option is actually dependent on IPV6FORWARDING (which is
set to no by default), according to this rule:

IPV6_AUTOCONF=!IPV6FORWARDING

which enables it automatically when forwarding is disabled. this way, we
respect the defaults set by centos.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
2 months agobump version to 2.0-38
Thomas Lamprecht [Tue, 7 May 2019 11:12:14 +0000 (11:12 +0000)]
bump version to 2.0-38

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoraise supported fedora version to 30
Stoiko Ivanov [Mon, 6 May 2019 14:27:44 +0000 (16:27 +0200)]
raise supported fedora version to 30

Tested by installing a fedora 29 container and upgrading it via dnf [0].
The upgraded container boots, but in order to get networking running (and many
warnings and errors less in the journal) 'nesting' needs to be activated both
for privileged and unprivileged containers.

[0] https://fedoraproject.org/wiki/DNF_system_upgrade

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
2 months agofix: #1075: Correctly restore CT templates form backup
Christian Ebner [Wed, 17 Apr 2019 14:38:28 +0000 (16:38 +0200)]
fix: #1075: Correctly restore CT templates form backup

Restoring a backup from a CT template wrongly resulted in a CT with the template
flag set in the config.
This makes sure the CT template backup gets restored to a CT and only if the
storage supports templates, the resulting CT is converted to a template.
Otherwise the backup restores simply to a CT.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
3 months agoadd fstrim lock to enum
Oguz Bektas [Thu, 11 Apr 2019 13:07:49 +0000 (15:07 +0200)]
add fstrim lock to enum

forgot to add this while adding 'pct fstrim' parameter

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
3 months agoadd create lock to enum
Dominik Csapak [Thu, 11 Apr 2019 07:16:52 +0000 (09:16 +0200)]
add create lock to enum

we use that lock on create/restoration

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agobump version to 2.0-37
Thomas Lamprecht [Thu, 4 Apr 2019 14:25:00 +0000 (16:25 +0200)]
bump version to 2.0-37

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agofollowup: reword bwlimit default wording
Thomas Lamprecht [Tue, 2 Apr 2019 09:29:00 +0000 (11:29 +0200)]
followup: reword bwlimit default wording

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agobwlimit: add parameter to API2 calls
Stoiko Ivanov [Mon, 1 Apr 2019 09:31:08 +0000 (11:31 +0200)]
bwlimit: add parameter to API2 calls

for migrate_vm, clone_vm and move_volume. The 'migrate_vm' call passes it to
PVE::LXC::Migrate->migrate for handling.

Additionally the bwlimit option's description of the 'create_vm' call gets
consistent capitalization of I/O.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
3 months agobwlimit: add parameter to rsync in copy_volume
Stoiko Ivanov [Mon, 1 Apr 2019 09:31:07 +0000 (11:31 +0200)]
bwlimit: add parameter to rsync in copy_volume

Unconditionally add a '--bwlimit' parameter to the rsync invocation, defaulting
to an argument of '0' (= unlimited - see `man rsync).
Normally this is a rate per second, with a passed unit. With no unit
passed rsync assumes "K", which is exactly what our units are in, so
make our life easy and omit it.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agostorage migrate: add bwlimit parameter
Stoiko Ivanov [Mon, 1 Apr 2019 09:31:06 +0000 (11:31 +0200)]
storage migrate: add bwlimit parameter

pass bwlimit parameter to storage_migrate

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agofix some reasonable lintian warnings on dsc
Thomas Lamprecht [Tue, 2 Apr 2019 08:06:49 +0000 (10:06 +0200)]
fix some reasonable lintian warnings on dsc

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agofollowup: remove double parenthesis and hook regex
Thomas Lamprecht [Tue, 2 Apr 2019 08:06:02 +0000 (10:06 +0200)]
followup: remove double parenthesis and hook regex

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agofix: #1218 Add flag 'unique' to pct restore in order to set new MAC addresses to...
Christian Ebner [Mon, 1 Apr 2019 15:45:24 +0000 (17:45 +0200)]
fix: #1218 Add flag 'unique' to pct restore in order to set new MAC addresses to NICs

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
3 months agofix #2147: re-add support for current opensuse tumbleweed
Oguz Bektas [Fri, 29 Mar 2019 16:16:33 +0000 (17:16 +0100)]
fix #2147: re-add support for current opensuse tumbleweed

this enables opensuse-tumbleweed templates to be used in Proxmox VE
_again_. It was already supported but it seems that the os-release
backed ID changed and thus our distro detection code didn't detect it
anymore.

a few things didn't work properly in my tests, so some things to consider:
* (probably) because of network configuration issues, it takes a while
for the container to start fully (~30s on my setup)
* unprivileged containers (w/ and w/o nesting enabled) had no network
after starting, and needed to be enabled manually with ip addr and
route.
* privileged containers seemed to function normally, except the
startup delay

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
3 months agofix #1607: implement pct fstrim
Oguz Bektas [Thu, 28 Mar 2019 13:01:44 +0000 (14:01 +0100)]
fix #1607: implement pct fstrim

runs fstrim on the rootfs and all mountpoints of a given container. this
works for both running and stopped containers.

lock the CT during this operation using a config lock as it is
potentially long running. While fstrim itself wouldn't really need
the lock, as multiple parallel fstrim calls can be made without
problems, we want to forbid migrations during it and want to avoid
that we unmount a with the CT mounted with 'mount' lock (race) -
while we could handle and allow this its just not needed and easier
this way

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agobuildsys: add dsc target
Thomas Lamprecht [Wed, 27 Mar 2019 16:21:19 +0000 (17:21 +0100)]
buildsys: add dsc target

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agodepreacate pve-lxc-snapshot-name in favor of identical pve-snapshot-name
Thomas Lamprecht [Wed, 27 Mar 2019 14:14:05 +0000 (15:14 +0100)]
depreacate pve-lxc-snapshot-name in favor of identical pve-snapshot-name

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agofollowup: which lock
Thomas Lamprecht [Thu, 21 Mar 2019 17:38:01 +0000 (18:38 +0100)]
followup: which lock

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agoadd lock to vm status
Dominik Csapak [Thu, 21 Mar 2019 09:55:19 +0000 (10:55 +0100)]
add lock to vm status

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
4 months agosetup: fix alpine ipv6-slaac configuration
Stoiko Ivanov [Tue, 19 Mar 2019 15:34:27 +0000 (16:34 +0100)]
setup: fix alpine ipv6-slaac configuration

busybox ifupdown implementation differs from debian's - configuration type
auto is not supported. If SLAAC is selected for the ipv6 configuration of an
interface, the complete networking is not started, because of that error.

This workaround sets the interface type to 'manual' in case SLAAC is selected
(as is already done for dhcpv6 (for different reasons)). That way all other
configuration stanzas are setup correctly, and if a ipv4 configuration is
present for the same interface the SLAAC-part usually works out of the box
anyways (unless 'accept_ra' is set to 0 for the interface in the kernel).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
4 months agobump version to 2.0-36
Thomas Lamprecht [Tue, 19 Mar 2019 11:38:17 +0000 (12:38 +0100)]
bump version to 2.0-36

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agosetup: add support for Ubuntu 19.04 Disco Dingo
Thomas Lamprecht [Tue, 19 Mar 2019 10:16:50 +0000 (11:16 +0100)]
setup: add support for Ubuntu 19.04 Disco Dingo

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agod/control: bump version dependency of libpve-common-perl
Thomas Lamprecht [Thu, 14 Mar 2019 09:05:20 +0000 (10:05 +0100)]
d/control: bump version dependency of libpve-common-perl

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agoconfig: hwaddr: enforce unicast MAC addresses
Stoiko Ivanov [Tue, 12 Mar 2019 15:07:42 +0000 (16:07 +0100)]
config: hwaddr: enforce unicast MAC addresses

having a container with a multicast mac (see [1]), prevents it from starting
(see [0,3]).

This patch uses the 'mac-addr' standard_option defined in PVE::JSONSchema to
ensure only unicast macaddresses are used for netconfig.

[0] https://lists.linuxcontainers.org/pipermail/lxc-users/2010-August/000783.html
[1] https://en.wikipedia.org/wiki/MAC_address
[2] https://pve.proxmox.com/pipermail/pve-devel/2019-March/035996.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agotests: move multicast MACs addresses to unicast ones
Stoiko Ivanov [Tue, 12 Mar 2019 15:07:43 +0000 (16:07 +0100)]
tests: move multicast MACs addresses to unicast ones

we'll change the format to forbid MAC addresses with the I/G (group)
bit set in a future patch so lets ensure we do not run into problems
there.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agofixup: only un-map if not running and comment so
Thomas Lamprecht [Mon, 11 Mar 2019 09:37:54 +0000 (10:37 +0100)]
fixup: only un-map if not running and comment so

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agofixup: always un-map and comment more
Thomas Lamprecht [Mon, 11 Mar 2019 08:39:46 +0000 (09:39 +0100)]
fixup: always un-map and comment more

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agoFix #2109: resize rbd volume for container failed
Alwin Antreich [Fri, 8 Mar 2019 14:41:55 +0000 (15:41 +0100)]
Fix #2109: resize rbd volume for container failed

On resizing a container's disk image the filesystem is extended and in
the case of RBD the returned path of the volume was not a path to a
mapped device.

This patch uses map_volume (respectively unmap_volume) to get a device
mapped and its path returned by the storage plugin. If a path is not
returned then the path method is tried. Currently only the RBD storage
plugin returns a path on map_volume.

Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
4 months agobump version to 2.0-35
Thomas Lamprecht [Wed, 6 Mar 2019 07:23:27 +0000 (08:23 +0100)]
bump version to 2.0-35

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agofollowup: code cleanup
Thomas Lamprecht [Mon, 4 Mar 2019 11:29:03 +0000 (12:29 +0100)]
followup: code cleanup

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agofix #2117: don't keep custom idmap in pct pipe restore
Oguz Bektas [Mon, 4 Mar 2019 10:02:53 +0000 (11:02 +0100)]
fix #2117: don't keep custom idmap in pct pipe restore

while doing a pct restore operation, custom id mappings were being
obtained from the archive file to be used in the newly created container.
this fails when using pipe restore, since there is no file for the
mappings to be recovered from.

Co-Authored by: Mira Limbeck <m.limbeck@proxmox.com>
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
4 months agod/control: bump version dependency to pve-doc-generator
Thomas Lamprecht [Fri, 22 Feb 2019 12:31:32 +0000 (13:31 +0100)]
d/control: bump version dependency to pve-doc-generator

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months ago1891 Add zsh command completion generation for pct
Christian Ebner [Thu, 21 Feb 2019 13:25:05 +0000 (14:25 +0100)]
1891 Add zsh command completion generation for pct

Generates the zsh command completion scripts for pct.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
5 months agofix #2104: config "features: mount" regex pattern
Oguz Bektas [Tue, 19 Feb 2019 12:52:01 +0000 (13:52 +0100)]
fix #2104: config "features: mount" regex pattern

this adds an underscore '_' character to the regex match for "features:
mount", which allows rpc_pipefs to be parsed correctly.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
5 months agofix #2086: change process checking mechanism in vmstatus
Oguz Bektas [Mon, 11 Feb 2019 14:51:06 +0000 (15:51 +0100)]
fix #2086: change process checking mechanism in vmstatus

vmstatus checked if the container was running by looking at the pid,
which was not an indicator of the process being completely stopped, as
the command socket in /proc/net/unix stays a little while after the
process is dead according to lxc-info.

this resulted in destroy_vm and similar functions which use
/proc/net/unix command socket based checking mechanism to fail when
executed too fast after the vm_status reported the process as stopped.

this changes vm_status to use the same kind of command socket based
mechanism in order to avoid reporting the container as being stopped too
early.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
5 months agod/control: bump version dependency of libpve-common-perl
Thomas Lamprecht [Mon, 4 Feb 2019 11:02:51 +0000 (12:02 +0100)]
d/control: bump version dependency of libpve-common-perl

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agofix #2080: fix device encoding in the prestart hook
Wolfgang Bumiller [Mon, 4 Feb 2019 09:42:02 +0000 (10:42 +0100)]
fix #2080: fix device encoding in the prestart hook

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
5 months agobump version to 2.0-34
Thomas Lamprecht [Fri, 1 Feb 2019 12:14:18 +0000 (13:14 +0100)]
bump version to 2.0-34

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agod/control: bump version dependency of libpve-guest-common-perl
Thomas Lamprecht [Fri, 1 Feb 2019 12:08:32 +0000 (13:08 +0100)]
d/control: bump version dependency of libpve-guest-common-perl

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoadd pre- start/stop hookscript to containers
Dominik Csapak [Thu, 31 Jan 2019 13:33:40 +0000 (14:33 +0100)]
add pre- start/stop hookscript to containers

this adds the config (hookscript) and executes it on four points in
time for the container:

'pre-start'
'post-start'
'pre-stop'
'post-stop'

on pre-start we abort if the script fails and pre-stop will not be
called if the vm crashes or if the vm gets powered off from inside
the guest

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
5 months agofixup: slight code cleanup
Thomas Lamprecht [Wed, 30 Jan 2019 13:53:37 +0000 (14:53 +0100)]
fixup: slight code cleanup

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agofixup indentation
Thomas Lamprecht [Wed, 30 Jan 2019 13:53:20 +0000 (14:53 +0100)]
fixup indentation

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoAdd debian/SOURCE to docs
Rhonda D'Vine [Wed, 30 Jan 2019 13:41:34 +0000 (14:41 +0100)]
Add debian/SOURCE to docs

Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
5 months agoFix #1924: add snapshot parameter
Rhonda D'Vine [Wed, 30 Jan 2019 13:41:33 +0000 (14:41 +0100)]
Fix #1924: add snapshot parameter

The pct CLI command offer the config function. The output of that may
vary with respect to a given snapshot. This adds a switch that shows the
corresponding snapshot's config.

The code needs a newer libpve-guest-common-perl, thus bumping the
dependency.

Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
5 months agofix #889: api create: reserver config with create lock early
Thomas Lamprecht [Mon, 28 Jan 2019 07:06:48 +0000 (08:06 +0100)]
fix #889: api create: reserver config with create lock early

allows to remove some checks as we can be sure the config belongs to
us once we have it resered, either for restore or new creation.

This is similar to the qemu-server approach[0][1], adapted to the
LXC code. We need to cleanup a bit less if something fails, as the
LXC code path always removed the config and all created volumes in
this case, which means the 'create' reserve lock is gone too.

The early reserve on API entry, instead of doing it after forked
worker entry, allows to workaround the issues reported in #889 as
successful return from the API call means that the VMID is locked.

[0]: https://git.proxmox.com/?p=qemu-server.git;a=commit;h=8ba8418ca1d1a76a7e24c34045ca7702b0cd969d
[1]: https://git.proxmox.com/?p=qemu-server.git;a=commit;h=4fedc13b453d2011b35352df246cf9ea396e942b

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agodestroy_config: die if unlink fails
Thomas Lamprecht [Mon, 28 Jan 2019 07:06:47 +0000 (08:06 +0100)]
destroy_config: die if unlink fails

We use this in two places, in the cleanup path of the create/restore
API path and indirectly through PVE::LXC::destroy_lxc_container, once
again in the restore code path of the create API call, to cleanup a
CT before overwriting it with a backup if the force flag ist set. The
second time in the destroy CT API call, both times a hard error in a
erroneous cleanup is wanted.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoapi/create: trivial: move worker name out
Thomas Lamprecht [Sat, 26 Jan 2019 13:28:00 +0000 (14:28 +0100)]
api/create: trivial: move worker name out

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoapi/create: empty newline cleanup
Thomas Lamprecht [Sat, 26 Jan 2019 12:27:40 +0000 (13:27 +0100)]
api/create: empty newline cleanup

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agobump version to 2.0-33
Wolfgang Bumiller [Mon, 7 Jan 2019 14:37:19 +0000 (15:37 +0100)]
bump version to 2.0-33

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agobuildsys: use dpkg-parsechangelog
Wolfgang Bumiller [Mon, 7 Jan 2019 14:36:11 +0000 (15:36 +0100)]
buildsys: use dpkg-parsechangelog

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agoonly recover id mapping on restore
Wolfgang Bumiller [Mon, 7 Jan 2019 14:32:42 +0000 (15:32 +0100)]
only recover id mapping on restore

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agoclose #1785: whitelist namespaced lxc.sysfs.* entries
Wolfgang Bumiller [Fri, 4 Jan 2019 11:35:27 +0000 (12:35 +0100)]
close #1785: whitelist namespaced lxc.sysfs.* entries

According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.

Note that these only work when also using
'lxc.mount.auto: proc:rw'

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Link: https://github.com/lxc/lxc/issues/989
6 months agobump version to 2.0-32
Thomas Lamprecht [Mon, 7 Jan 2019 12:48:35 +0000 (13:48 +0100)]
bump version to 2.0-32

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agoadd informative comment...
Wolfgang Bumiller [Fri, 4 Jan 2019 10:17:10 +0000 (11:17 +0100)]
add informative comment...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agofixup comment about early lxc.idmap recovery
Wolfgang Bumiller [Thu, 27 Dec 2018 12:55:46 +0000 (13:55 +0100)]
fixup comment about early lxc.idmap recovery

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agocleanup: factor out root@pam check
Wolfgang Bumiller [Thu, 27 Dec 2018 12:53:53 +0000 (13:53 +0100)]
cleanup: factor out root@pam check

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agoarray usage fixup
Wolfgang Bumiller [Thu, 27 Dec 2018 13:18:49 +0000 (14:18 +0100)]
array usage fixup

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
6 months agofix #2028: keep custom uid mapping during restore
Oguz Bektas [Thu, 27 Dec 2018 11:52:25 +0000 (12:52 +0100)]
fix #2028: keep custom uid mapping during restore

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
7 months agofix #2014: don't check if unpriv for blkio
Oguz Bektas [Fri, 7 Dec 2018 10:34:42 +0000 (11:34 +0100)]
fix #2014: don't check if unpriv for blkio

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
7 months agobump version to 2.0-31
Thomas Lamprecht [Thu, 29 Nov 2018 11:58:25 +0000 (12:58 +0100)]
bump version to 2.0-31

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agoadd features:fuse
Wolfgang Bumiller [Wed, 28 Nov 2018 12:55:06 +0000 (13:55 +0100)]
add features:fuse

That should be enough for snapd on unprivileged containers.
For privileged containers we'd also need a way to not drop
the mac_admin capability - not sure we'd want that.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>