Thomas Lamprecht [Fri, 21 Feb 2020 12:07:56 +0000 (13:07 +0100)]
setup/ubuntu: add upcoming 20.04 focal release
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit eb03cc119c03f4b5108a0a02ddfd7f7cba53b051) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 21 Feb 2020 12:07:32 +0000 (13:07 +0100)]
setup/ubuntu: note LTS versions
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit a89aed4bbd15af96648b9fd285c0287668bba868) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
so that we handle all the point releases between 8-9
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit c823eb0a1b2b04bc7745bbac4819be9a9c96df51)
(cherry picked from commit 6566b196964dd8723eebf7c43181854b669f6e87)
[ Thomas: Squashed above two cherry-picks into one commit ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
mountpoints: create parent dirs with correct owner
otherwise unprivileged containers might end up with directories that
they cannot modify since they are owned by the user root in the host
namespace, instead of root inside the container.
note: the problematic behaviour is only exhibited when an intermediate
directory needs to be created, e.g. a mountpoint /test/mp gets mounted,
and /test does not yet exist.
Oguz Bektas [Mon, 26 Aug 2019 14:06:32 +0000 (16:06 +0200)]
don't leave fstrim lock if mount_all fails
when a container has a mountpoint which can't be mounted for some
reason, mount_all dies and the fstrim lock stays. prevent this by
moving the call into eval, warn if any error occurs.
Still try to unmount all already mounted MPs so that nothing blocking
remains left.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit a179d3a7390beef3bfa6e61572034a0a7d237d6e) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Oguz Bektas [Fri, 13 Sep 2019 10:35:57 +0000 (12:35 +0200)]
fix issue where ttys aren't correctly set after restore
restore from unpriv to priv causes a problem with the log-in from web
console, since the /etc/securetty file isn't modified after a restore to
reflect that change (/dev/lxc/tty1 and so on).
template_fixup is normally called in post_create_hook, but we have no
$password or $ssh_keys to call the hook with during the restore. instead
we call template_fixup by itself to fix the ttys on some distributions.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit 4b4bbe553bebac2fbc179616c90594eed275b07e) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 31 Oct 2019 15:45:05 +0000 (16:45 +0100)]
setup: fedora: allow 31 (and 32)
tested by installing fedora 30 and using dnf-system-upgrade to get
version 31.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 5a973aa68f1d0d5a19b1337094ab3f7cb74453a0) Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Thomas Lamprecht [Thu, 31 Oct 2019 15:45:04 +0000 (16:45 +0100)]
add upcoming Ubuntu 19.10 Eoan as supported
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 5c5d57f05b0bb8daedb24625ec69dd30133b8dc7) Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Thomas Lamprecht [Tue, 27 Aug 2019 16:49:01 +0000 (18:49 +0200)]
setup: allow CentOS 5 and CentOS 8
One is in the extended support phase, it should not be used but
people report that the CentOS 6 code path works just fine, so why
not...
The other is for the upcoming CentOS 8, while not fully testable for
compatibility yet, CentOS 7 code path should do the trick, else
we'll need to adapt it anyway, so see this as experimental
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 9b940fef409e443713cf8ae3ca4f42f75f756f9e) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 17 Jul 2019 10:07:40 +0000 (12:07 +0200)]
setup getty: ensure the getty.target is not masked
some distro templates have this masked by default, it makes sense to
always ensure that it can work, a CT admin can still prevent this by
using the .pve-ignore.$file mechanism.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 570798fadd62752e5f370fec908c1308394000a2) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Jul 2019 15:17:17 +0000 (17:17 +0200)]
setup getty: drop now obsolete setup_systemd_console
The setup_container_getty_service can now handle also old
getty@.service if the newer container-getty@.service is not
available. So drop, and convert the two remaining users to calling
the now compatible setup_container_getty_service
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Acked-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit a4f1fab1416f8c6cf0993539587ca3028e8bded8) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Thu, 18 Jul 2019 13:56:12 +0000 (15:56 +0200)]
add support for debian bullseye/sid
Add support for the newest DebianTesting aka bullseye.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com> Tested-by: Oguz Bektas <o.bektas@proxmox.com>
(cherry picked from commit 93da83ffa3d7b546f7c9e2627c2652f1b3d4d171) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Reiter [Tue, 9 Jul 2019 15:20:57 +0000 (17:20 +0200)]
fix #2270: allow custom lxc options to be restored as root
Seems to be a regression introduced with f360d7f16b094fa258cf82d2557d06f3284435e4 (related to #2028).
$conf->{'lxc'} would always be defined, hence we never replaced it with
the restored options.
Co-developed-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
(cherry picked from commit 82bfeccbe6cbc12f39a04a4a8d1ac5ef12ae73ad) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
tests: avoid ipcc usage by mocking PVE::Cluster::get_config
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit b0c4f0658fc3a157de071d0b2e604b0657b57a79) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominic Jäger [Wed, 12 Jun 2019 10:04:57 +0000 (12:04 +0200)]
Fix #576: Fix dangling files for Move Disk
When Move Disk is called for a container rsync starts copying it to a
new destination. This initial rsync process gets killed when the Stop
button gets pressed. At this moment the destination file is not fully
copied and useless as a consequence. Our code already tries to remove
it. However, rsync has forked and those forks are still accessing the
destination file for some time. Thus, the attempt to remove it fails.
With the patch we wait for other processes to release the destination
files. As we are in a mount namespace and protected by a config lock,
those other processes should be children of rsync only. The waiting
time was less than a second when I tried it. Afterwards, the existing
remove procedure is carried out.
Co-developed-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Dominic Jäger <d.jaeger@proxmox.com>
(cherry picked from commit 75c2677fb5f26fce508a81528cc730f56fc9118c) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 23 May 2019 07:28:45 +0000 (09:28 +0200)]
fixup: nitpick: no parenthesis on simple post if
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 68300601d205649d702afec522d8bc575d772e62) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alwin Antreich [Thu, 23 May 2019 07:13:40 +0000 (09:13 +0200)]
Fix: check if compression_map format is undefined
We want to check for an supported compression type, but the check was
not correct as this only works if both sides are scalars, but an
assignment to an array is always "truthy", so actually check explicitly
if the compression type is supported before.
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com> Co-authored-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 539660e2bd3e9a557a8c0ce7e17865377bf269b9) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
tests: fix lxc-usernsexec invocation for uid != gid
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit 8f4bd6245b25218d05dbf1267a85728f447a13d4) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This allows to have the same semantics as qemu-server:
* immediate hard-kill
* shutdown with kill after timeout
* shutdown without kill after timeout
And thus we finally can move the vm_shutdown API call to a correct
semantic, i.e., do not immediate hard kill if forceStop is not passed
but rather see it as stop after timeout knob.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
No call-site used this parameter, and thus it was dead code,
remove it not only for cleanup sake but also to make space for a new
"nokill-after-timeout" parameter, comming in a future patch.
This code was always dead since it was introduced with the addition
of vm_stop in commit b1bad293c4f7a6024bbd363b6784b3875ca5d098
so pretty safe to remove anyway.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Mon, 6 May 2019 14:27:44 +0000 (16:27 +0200)]
raise supported fedora version to 30
Tested by installing a fedora 29 container and upgrading it via dnf [0].
The upgraded container boots, but in order to get networking running (and many
warnings and errors less in the journal) 'nesting' needs to be activated both
for privileged and unprivileged containers.
Christian Ebner [Wed, 17 Apr 2019 14:38:28 +0000 (16:38 +0200)]
fix: #1075: Correctly restore CT templates form backup
Restoring a backup from a CT template wrongly resulted in a CT with the template
flag set in the config.
This makes sure the CT template backup gets restored to a CT and only if the
storage supports templates, the resulting CT is converted to a template.
Otherwise the backup restores simply to a CT.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Unconditionally add a '--bwlimit' parameter to the rsync invocation, defaulting
to an argument of '0' (= unlimited - see `man rsync).
Normally this is a rate per second, with a passed unit. With no unit
passed rsync assumes "K", which is exactly what our units are in, so
make our life easy and omit it.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Oguz Bektas [Fri, 29 Mar 2019 16:16:33 +0000 (17:16 +0100)]
fix #2147: re-add support for current opensuse tumbleweed
this enables opensuse-tumbleweed templates to be used in Proxmox VE
_again_. It was already supported but it seems that the os-release
backed ID changed and thus our distro detection code didn't detect it
anymore.
a few things didn't work properly in my tests, so some things to consider:
* (probably) because of network configuration issues, it takes a while
for the container to start fully (~30s on my setup)
* unprivileged containers (w/ and w/o nesting enabled) had no network
after starting, and needed to be enabled manually with ip addr and
route.
* privileged containers seemed to function normally, except the
startup delay
Oguz Bektas [Thu, 28 Mar 2019 13:01:44 +0000 (14:01 +0100)]
fix #1607: implement pct fstrim
runs fstrim on the rootfs and all mountpoints of a given container. this
works for both running and stopped containers.
lock the CT during this operation using a config lock as it is
potentially long running. While fstrim itself wouldn't really need
the lock, as multiple parallel fstrim calls can be made without
problems, we want to forbid migrations during it and want to avoid
that we unmount a with the CT mounted with 'mount' lock (race) -
while we could handle and allow this its just not needed and easier
this way
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Tue, 19 Mar 2019 15:34:27 +0000 (16:34 +0100)]
setup: fix alpine ipv6-slaac configuration
busybox ifupdown implementation differs from debian's - configuration type
auto is not supported. If SLAAC is selected for the ipv6 configuration of an
interface, the complete networking is not started, because of that error.
This workaround sets the interface type to 'manual' in case SLAAC is selected
(as is already done for dhcpv6 (for different reasons)). That way all other
configuration stanzas are setup correctly, and if a ipv4 configuration is
present for the same interface the SLAAC-part usually works out of the box
anyways (unless 'accept_ra' is set to 0 for the interface in the kernel).
Alwin Antreich [Fri, 8 Mar 2019 14:41:55 +0000 (15:41 +0100)]
Fix #2109: resize rbd volume for container failed
On resizing a container's disk image the filesystem is extended and in
the case of RBD the returned path of the volume was not a path to a
mapped device.
This patch uses map_volume (respectively unmap_volume) to get a device
mapped and its path returned by the storage plugin. If a path is not
returned then the path method is tried. Currently only the RBD storage
plugin returns a path on map_volume.
Oguz Bektas [Mon, 4 Mar 2019 10:02:53 +0000 (11:02 +0100)]
fix #2117: don't keep custom idmap in pct pipe restore
while doing a pct restore operation, custom id mappings were being
obtained from the archive file to be used in the newly created container.
this fails when using pipe restore, since there is no file for the
mappings to be recovered from.
Co-Authored by: Mira Limbeck <m.limbeck@proxmox.com> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Oguz Bektas [Mon, 11 Feb 2019 14:51:06 +0000 (15:51 +0100)]
fix #2086: change process checking mechanism in vmstatus
vmstatus checked if the container was running by looking at the pid,
which was not an indicator of the process being completely stopped, as
the command socket in /proc/net/unix stays a little while after the
process is dead according to lxc-info.
this resulted in destroy_vm and similar functions which use
/proc/net/unix command socket based checking mechanism to fail when
executed too fast after the vm_status reported the process as stopped.
this changes vm_status to use the same kind of command socket based
mechanism in order to avoid reporting the container as being stopped too
early.
Rhonda D'Vine [Wed, 30 Jan 2019 13:41:33 +0000 (14:41 +0100)]
Fix #1924: add snapshot parameter
The pct CLI command offer the config function. The output of that may
vary with respect to a given snapshot. This adds a switch that shows the
corresponding snapshot's config.
The code needs a newer libpve-guest-common-perl, thus bumping the
dependency.
Thomas Lamprecht [Mon, 28 Jan 2019 07:06:48 +0000 (08:06 +0100)]
fix #889: api create: reserver config with create lock early
allows to remove some checks as we can be sure the config belongs to
us once we have it resered, either for restore or new creation.
This is similar to the qemu-server approach[0][1], adapted to the
LXC code. We need to cleanup a bit less if something fails, as the
LXC code path always removed the config and all created volumes in
this case, which means the 'create' reserve lock is gone too.
The early reserve on API entry, instead of doing it after forked
worker entry, allows to workaround the issues reported in #889 as
successful return from the API call means that the VMID is locked.
Thomas Lamprecht [Mon, 28 Jan 2019 07:06:47 +0000 (08:06 +0100)]
destroy_config: die if unlink fails
We use this in two places, in the cleanup path of the create/restore
API path and indirectly through PVE::LXC::destroy_lxc_container, once
again in the restore code path of the create API call, to cleanup a
CT before overwriting it with a backup if the force flag ist set. The
second time in the destroy CT API call, both times a hard error in a
erroneous cleanup is wanted.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
close #1785: whitelist namespaced lxc.sysfs.* entries
According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.
Note that these only work when also using
'lxc.mount.auto: proc:rw'