Fabian Ebner [Mon, 23 Mar 2020 11:18:51 +0000 (12:18 +0100)]
For clone+copy features, make sure a valid format for the target is supported
using the new option valid_target_formats. This is
necessary, because clone_image can result in a qcow2 image
being created (on directory based storages) which is not
valid for LXC.
Thomas Lamprecht [Wed, 18 Mar 2020 09:46:17 +0000 (10:46 +0100)]
lxc_config: mount /sys as mixed for unprivileged by default
CONTAINER_INTERFACE[0] is something systemd people call their API and
we need to adapt to it a bit, even if it means doing stupid
unnecessary things, as else systemd decides to regress and suddenly
break network stack in CT after an upgrade[1].
This mounts the parent /sys as mixed, which is:
> mount /sys as read-only but with /sys/devices/virtual/net writable.
-- man 5 lxc.container.conf
Allow users to overwrite that with a features knob, as surely some
run into other issues else and manually adding a "lxc.mount.auto"
entry in the container .conf is not an nice user experience for most.
Fixes the system regression in up to date Arch installations
introduced by[2].
Fabian Ebner [Tue, 18 Feb 2020 11:31:22 +0000 (12:31 +0100)]
Fix mounting ZFS snapshots whose dataset is not mounted below '/'
Trying to back up a container with a ZFS dataset with non-standard mount
would fail, see [0].
This also removes the near-dead code
$name .= "\@$snapname";
when snapname is false-y, but defined and turns
the check for $snapname into one for definedness.
Thomas Lamprecht [Wed, 19 Feb 2020 16:41:49 +0000 (17:41 +0100)]
backup prepare: remove useless "activate volumes"
As the actual stop of the CT happened after VZDump called the prepare
step, the volume activation was undone again.
commit 00cc04160351f0034c5349d208e59a5f46d8ee33 improved that by
doing the activate now in the archive step when colleting the
moutpoints to backup, so drop it here for good.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Oguz Bektas [Tue, 18 Feb 2020 13:38:52 +0000 (14:38 +0100)]
fix #2598: activate volumes before mounting in stop mode backup
'stop' mode deactivates the volumes (relevant for LVM backend), and
they're not reactivated before trying to mount them for backup.
reactivating the volumes before the mount in 'stop' mode backup solves
the issue.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Acked-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Oguz Bektas [Wed, 5 Feb 2020 14:03:29 +0000 (15:03 +0100)]
apply_pending: do cleanup pending between, not during, change/delete loop
instead of calling it while iterating, inbetween the loops is a
better place in terms of similarity with qemu-server side, while also
fixing the bug that Dominik found[0]:
> when setting a netX option that is semantically the same as the one
> already set but in a different order, e.g.:
>
> in config:
> net0: name=eth0,bridge=vmbr0,hwaddr=AA:AA:AA:AA:AA:AA,type=veth
> setting via api:
> net0: bridge=vmbr0,name=eth0,hwaddr=AA:AA:AA:AA:AA:AA,type=veth
>
> the code tries to 'hot-apply' the change (which is no change
> really) where the api line then gets parsed and printed which
> results in the same string already in the config
>
> then we do a 'cleanup_pending' which removes it from pending, since
> the config already contains the exact same options, but then we
> overwrite the config from pending (which is empty) resulting in an
> invalid config line:
> --8<--
> net0:
> -->8--
Avoid this by only calling the cleanup pending change outside the
loop, it makes no sense to loop over the whole config on each pending
property change and pending delete.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Tested-By: Dominik Csapak <d.csapak@proxmox.com>
[ Thomas: adapted commit message with some extra info ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 31 Jan 2020 15:24:30 +0000 (16:24 +0100)]
d/control: depend on pve-lxc-syscalld
It's a really small daemon doing nothing if not in use, and only
requiring < 1M of disk space and ~2M of memory (and one can always
stop the service if not wanted)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
[ Thomas: use new helper from common ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This causes char and blockdev mknod() and mknodat() calls to
be forwarded to the seccomp proxy, so unprivileged
containers can finally create /dev/null by themselves.
For now this is experimental and therefore added to
`features`. Ideally, if this works as intended, we can make
it the default in pve 7.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Tue, 21 Jan 2020 07:55:04 +0000 (08:55 +0100)]
fsck: do is-CT-running check earlier
besides the fact that it makes sense to check that early it avoids
also uncleaned side-effect, like a mapped RBD volume which did not
get unmapped again due to this check dying.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
When starting via 'lxc-start' from the CLI the prestart hook
ended up mounting relative to the current working dir, so
the container refused to start and we created a bunch of
useless `var` directories.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Ebner [Tue, 3 Dec 2019 08:31:28 +0000 (09:31 +0100)]
Always determine the size of the volume in volume_rescan
Otherwise there is an issue when resizing a volume with pending changes:
1. Have a running container with a mount point
2. Edit the mount point and change the path
3. Resize the mount point
4. Reboot the container
Result: the old size is written to the config.
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com> Tested-by: Oguz Bektas <o.bektas@proxmox.com>
fix #2512: post-stop: unmount stage mps before cleanup
With staged mount points we now have mount points also
mounted in our staging temp directory, and we keep them
there in order to prevent hotplugged mounts (which can be
unmounted by the container) to disconnect from their loop
devices, so we need to clean those up as well before we can
run any cleanups.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
We still passed the target mount path to bindmount() causing
bindmount_verify() to fail. Fix this by assuming '/' as the
in-container target mount path when staging, as we mount
onto the $rootdir instead.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Oguz Bektas [Thu, 21 Nov 2019 16:48:06 +0000 (17:48 +0100)]
apply pending changes in lxc poststop hook
apply pending changes after container is stopped (via API or systemctl), and
update lxc config.
also affects reboots from inside the container. (but in that case we don't try
to update_lxc_config again if pending changes were already applied and lxc config
was updated)
The prestart hook is executed by lxc, that is *after* it
loaded the config, so any pending changes which involve
updates to /var/lib/lxc/$vmid/config won't have any actual
effect: seccomp profile, apparmor profile changes, cgroup
related settings, newly added network devices, ...
prestart-hook: use staged mountpoints on newer kernels
This way we operate on defined paths in the monitor
namespace (/run/pve/mountpoint/{rootfs,mp0,mp1,...}) while
performing the mount, and can use `move_mount()` without
passing the MOVE_MOUNT_T_SYMLINKS flag when putting the
hierarchy in place.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Staging a mount point requires the new kernel mount API and
will mount the volume at a fixed path, then use open_tree()
to "pick it up" into a file descriptor.
For most of our volumes we wouldn't need the temp directory,
but some things cannot be handled with _only_ the new API
(like single-step read-only bind mounts). Additionally, the
'mount' command figures out file systems automatically and
has a bunch of helpers we'd need to reimplement, so instead,
go through our usual mount code and then pick up the result.
This can then be used to implement mount point hotplugging,
as with the open file descriptor we can move into the
container's namespace and issue a `move_mount()` to put the
mount point in place in the running container.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Oguz Bektas [Wed, 6 Nov 2019 14:58:55 +0000 (15:58 +0100)]
fix #2453: actually reflect random MAC address selection in config
When creating/changing the network interface of a container, the
parse_lxc_network can have side-effects, e.g., it adds a new random
MAC hwaddr if the netX format-string did not had any. Thus, we need
to call print_lxc_network again in order to have the correct,
up-to-date, property string in the config file.
Apparently this was a regression introduced with the pending changes
series.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
projects / pve-container.git / log