Currently the autodev hook only adds device nodes, but in
order for the container to use them we also need to add
entries to the devices cgroup to both the limiting and the
namespaced devices cgroup directory.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
we use perl modules from pve-firewall and some build steps fail if
isn't installed, e.g., happening on bootstrapping.
pve-firewall includes some modules from us but does so in a way which
can cope with a not-installed pve-container (or qemu-server for that
matter).
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Our checks for .pve-ignore.* files happen at write time so
we mostly don't have to think about them within the
functions dealing with them. /etc/hosts is one of the files
we need nowhere except when updating it, and there are some
tools managing it and producing files too large for our
default file_get_contents() size limit, so here we want to
skip early to avoid an error at read time.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Upstream's templates seem to have switched to systemd-networkd for
fedora > 25. Since then various workarounds have been suggested (starting
the legacy network.service in /etc/rc.local). This patch tries to accomodate
both network-configuration options for the affected and available templates
(25, 26, 27), by configuring both services.
Wolfgang Link [Wed, 6 Jun 2018 13:21:45 +0000 (15:21 +0200)]
fix #1778: check if storage support templates
LXC can only create templates on storages which support linked clones.
To prevent this, we will check before we convert to a template if the
storage support this.
Wolfgang Link [Tue, 5 Jun 2018 10:58:47 +0000 (12:58 +0200)]
fix #1792: Do not assign vars in conditional statement
If a variable is defined and assigned in a conditional statement,
it is not defined behavior in Perl.
For more inforamtion about this behavior see
https://perldoc.perl.org/perlsyn.html#Statement-Modifiers
"NOTE: The behaviour of a my, state, or our modified with a statement
modifier conditional or loop construct (for example, my $x if ... )
is undefined.
The value of the my variable may be undef, any previously assigned
value, or possibly anything else.
Don't rely on it. Future versions of perl might do something different
from the version of perl you try it out on. Here be dragons."
we only handled the special rootfs mount so creating a template
from a container with additional mountpoint did not work correctly.
Use foreach_mountpoint to create a base vdisk for all mount points
after checking if the storage supports it
otherwise the size information gets lost when detaching and reattaching
a mountpoint volume, which is less than ideal since mountpoints without
size information require manual information when restoring.
This finishes the work started with 07084526aa4a ("create:
open templates as real root"), which opened templates as
real root, but passed it to tar via /proc/*/fd, which does
not actually bypass the check. (Curiously tar did manage to
figure out the file extension from it).
In order to actually extract templates the unprivileged user
cannot access by themselves, we need to pass it to tar via
stdin, however, this means tar cannot auto-detect the
compression (or more accurately, it can and does, but tells
you which option to pass it rather than just extracting
it...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
systemd-networkd keeps trying to use keyctl() and if it
refuses to work it is apparently a fatal error, so let's
make it think keyctl() support doesn't actually exist by
letting it always fail with ENOSYS.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alwin Antreich [Wed, 14 Mar 2018 12:51:55 +0000 (13:51 +0100)]
Fix pct skiplock
The method vm_start sets an environment variable that is not picked up
anymore by systemd. This patch removes the environment variable and
introduces a skiplock file that is picked up by the
lxc-pve-prestart-hook.
Alwin Antreich [Fri, 9 Mar 2018 15:14:59 +0000 (16:14 +0100)]
Fix #1547: on migration abort, the CT starts again
When a migration fails, the final_cleanup phase now starts the container
on the source node again, if it was a migration in restart_mode and the
CT was running.
Thomas Lamprecht [Fri, 16 Feb 2018 07:40:48 +0000 (08:40 +0100)]
close #1668: add Devuan support
Add separate Plugin as the Debian Plugin will get more systemd
specific stuff in the future, while this here is as anti-systemd as
it gets, so make the split from the start.
But only overwrite the plugin constructor for now, the rest is still
backward compatible.
Short nack history:
In PVE 4 Beta we introduced LXC as our new container technology.
Initially we did not used the our section config format for its
configuration file in /etc/pve . It was then decided to reuse our
config format (section config), so that we do not need to maintain a
separate parser, and that VM and CT config where not completely
different, which could confuse users.
This script was added to allow an easy transition from the old LXC
config format to the new Proxmox SectionConfig one.
All new installations since, and including, PVE 4.0 never needed this.
And all beta users must go through PVE 4.4 if they want to
dist-upgrade to PVE 5.0, so just remove it - it's forever tracked in
git anyway
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 16 Nov 2017 14:07:40 +0000 (15:07 +0100)]
create: refactor arch detection to run_fork_with_timeout
Swap out our own fork/waitpid code with run_fork_with_timeout, which
not only allows to return arbitrary results from the called method
but also has a timeout configured, which prevents that a creation
hangs forever (= next reboot).
As we can now return more than with an exit code number we do not
return the ELF class but the detected architecture directly and pull
the fallback code into this method.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Since we use a post-stop hook to unmount all file systems at
container shutdown rather than a stop hook (because at this
point there are still multiple mount namespaces around), we
need to wait for the lxc-start/monitor process to exit to be
sure all the unmounting has succeeded, because it will put
the container into a STOPPED state before executing the
post-stop hook, making lxc-wait and lxc-stop signal success
too early when waiting for the container to stop.
Introduce a vm_stop() helper which calls lxc-stop and then
waits for the command socket to close. Note that lxc-stop
already has the "hard-stop-after-timeout" mechanic built in,
so the 'forceStop' code path of the vm_stop api call removed
here was not actually necessary.
Technically we could pass --nokill for the behavior assumed
there, but for now this patch should not be causing any
actual behavior changes.
We changed this to read values from the container's inner
cgroup, but didn't take into account that unprivileged
containers don't have one.
Add a parameter to specify whether it is an unprivileged
container.
Fixes: 41ef9833bf00 ("include ns/ dir in read_cgroup_value") Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
we want our unit to only start when manually invoked (by our code), and
stop on shutdown via pve-guests or pve-ha-lrm. lxc@ units are stopped by
systemd on shutdown, because of transitive dependencies.
since all instances of template service units are by default assigned to
a new slice with DefaultDependencies=yes, we also need to introduce our
own custom slice with DefaultDependencies=no.
projects / pve-container.git / log