So far we've simply been using RUNTIME_PATH for the privileged and unprivileged
case. We should actually use XDG_RUNTIME_DIR for the unprivileged case.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
When a container c is on a btrfs filesystem but is directory backed, copying
the container will default to snapshot. This is because of
should_default_to_snapshot() returning true in this case because c is on a
btrfs filesystem. We should make sure that should_default_to_snapshot() only
returns true, when c itself is a btrfs subvolume.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
KATOH Yasufumi [Fri, 12 Aug 2016 08:29:55 +0000 (17:29 +0900)]
doc: Update Japanese lxc-attach(1)
* Add undocumented options (-v/--set-var, --keep-var, -f/--rcfile)
* Change order of option in SYNOPSIS (-L that is placed after "command")
* Add long options in SYNOPSIS
KATOH Yasufumi [Fri, 12 Aug 2016 08:04:15 +0000 (17:04 +0900)]
doc: Update lxc-attach(1)
* Add undocumented options (-v/--set-var, --keep-var, -f/--rcfile)
* Change order of option in SYNOPSIS (-L that is placed after "command")
* Add long options in SYNOPSIS
Otherwise a container with a non-standard configuration file
can be started but not attached to.
Fixes the following case:
# lxc-start -n ct -f /different/path/my.config
# lxc-attach -n ct
Error: container ct is not defined
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This fixes a double free corruption on container-requested
reboots when lxc_spawn() fails before receiving the ttys, as
lxc_fini() (part of __lxc_start()'s cleanup) calls
lxc_delete_tty().
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
lxc-checkpoint will fail because process createdy by lxc-attach has
incorrect cgroup ns. It needs to use "setns" instead of "unshare"
to set cgroup ns.
criu.c: In function ‘exec_criu’:
criu.c:310:4: error: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ [-Werror=format=]
ret = sprintf(ghost_limit, "%lu", opts->user->ghost_limit);
^
In file included from criu.c:42:0:
log.h:285:9: error: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ [-Werror=format=]
struct lxc_log_locinfo locinfo = LXC_LOG_LOCINFO_INIT; \
^
criu.c:312:5: note: in expansion of macro ‘ERROR’
ERROR("failed to print ghost limit %lu", opts->user->ghost_limit);
^
Signed-off-by: Christian Brauner <cbrauner@suse.de>
Adrian Reber [Fri, 15 Jul 2016 08:54:30 +0000 (10:54 +0200)]
c/r: make local function static
This is a minimal commit which makes the function 'do_restore()' static
as it is not used anywhere else in the code. This also removes a
trailing space my editor complained about.
Adrian Reber [Mon, 4 Jul 2016 14:58:09 +0000 (16:58 +0200)]
c/r: drop in-flight connections during CRIU dump
Shortly after CRIU 2.3 has been released a patch has been added to skip
in-flight TCP connections. In-flight connections are not completely
established connections (SYN, SYN-ACK). Skipping in-flight TCP
connections means that the client has to re-initiate the connection
establishment.
This patch stores the CRIU version detected during version check, so
that during dump/checkpoint options can be dynamically enabled depending
on the available CRIU version.
v2:
* use the newly introduced criu version interface
* add an option to disable skipping in-flight connections
Adrian Reber [Mon, 11 Jul 2016 19:55:43 +0000 (21:55 +0200)]
c/r: initialize migrate_opts properly
The commit "c/r: add support for CRIU's --action-script" breaks
lxc-checkpoint on the command-line. It produces errors like:
sh: $'\260\366\b\001': command not found
and then it fails. src/lxc/criu.c expects migrate_opts->action_script to
be either NULL, then it is ignored, or to actually contain the name of
an action scripts.
As the struct migrate_opts has not static storage is has to be explicitly
initialized or the value of the structure's members is indeterminate.
- If version != NULL criu_version_ok() stores the detected criu version in
version. Allocates memory for version which must be freed by caller.
- If version == NULL criu_version_ok() will return true when the version
matches, false in all other cases.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
First, we're doing this so long a there is any cgroup config item -
even if no devices ones. Then if devices is not available we fail.
This was leading to Rob E's mysterious startup failures.
Secondly, we're not even using this info. The user was removed
awhile back.
Antonio Terceiro [Wed, 29 Jun 2016 17:58:35 +0000 (14:58 -0300)]
lxc-debian: fix regression when creating wheezy containers
The regression was introduced by commit 3c39b0b7a2b445e08d2e2aecb05566075f4f3423 which makes it possible to
create working stretch containers by forcinig `init` to be in the
included package list.
However, `init` didn't exit before jessie, so now for wheezy we
explicitly include `sysvinit`; sysvinit on wheezy is essential,
so it would already be included anyway.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Preetam D'Souza [Tue, 28 Jun 2016 03:12:12 +0000 (23:12 -0400)]
Include all lxcmntent.h function declarations on Bionic
Newer versions of Android (5.0+, aka API Level 21+) include mntent.h,
which declares setmntent and endmntent. This hits an edge
case with the preprocessor checks in lxcmntent.h because HAVE_SETMNTENT
and HAVE_ENDMNTENT are both defined (in Bionic's mntent.h), but conf.c
always includes lxcmntent.h on Bionic! As a result, we get compiler
warnings of implicit function declarations for setmntent endmntent.
This patch always includes setmntent/endmntent/hasmntopt function
declarations on Bionic, which gets rid of these warnings.
Tycho Andersen [Mon, 27 Jun 2016 22:24:09 +0000 (22:24 +0000)]
c/r: use criu's "full" mode for cgroups
A while ago cgroup modes were introduced to CRIU, which slightly changed
the behavior w.r.t. cgroups under the hood. What we're really after is
criu's --full mode, i.e. even if a particular cgroup directory exists
(in particular /lxc/$container[-$number] will, since we create it), we
should restore perms on that cgroup.
Things worked just fine for actual properties (except "special" properties
as criu refers to them, which I've just sent a patch for) because liblxc
creates no subdirectories, just the TLD.
Stéphane Graber [Mon, 27 Jun 2016 19:15:15 +0000 (15:15 -0400)]
apparmor: Update mount states handling
Properly list all of the states and the right apparmor stanza for them,
then comment them all as actually enabling this would currently let the
user bypass apparmor entirely.
Antonio Terceiro [Fri, 17 Jun 2016 22:00:56 +0000 (19:00 -0300)]
lxc-debian: make sure init is installed
init 1.34 is not "Essential" anymore, in order to make it not required
on minimal chroots, docker containers, etc. Because of that we now need
to manually include it on systems that are expected to boot.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Jesse Pretorius [Fri, 3 Jun 2016 15:33:25 +0000 (16:33 +0100)]
Move apt-transport-https to global packages_template
In many environments the preference is to configure containers with
apt mirrors that are SSL-secured.
When building containers using the download template this can't be
done unless an insecure mirror is first used to install the
apt-transport-https package, then the sources reconfigured to
use the https URL.
When building containers without using the download template this
can't be done unless the container creator specifically includes
this package in the package list at build time. It seems more
intuitive to me to have the package installed by default.
Commit 396f75abb3d319adc7d871b94b08bc6bb9c49585 added the package
to the minbase variant, but this variant is not used by the download
template build process. The build process instead specifies no
variant, so this patch moves the package from the packages_template
package list in the minbase variant to the global packages_template
package list, ensuring that this package is included in all Ubuntu
build images that use the lxc-ubuntu template.
Jesse Pretorius [Wed, 11 May 2016 17:17:58 +0000 (18:17 +0100)]
Add apt-transport-https to minbase variant packages_template
In many environments the preference is to configure containers with
apt mirrors that are SSL-secured.
When building containers using the download template this can't be
done unless an insecure mirror is first used to install the
apt-transport-https package, then the sources reconfigured to
use the https URL.
When building containers without using the download template this
can't be done unless the container creator specifically includes
this package in the package list at build time.
It seems more intuitive to me to have the package installed by
default. This patch includes the required package for the minbase
variant only as this is the default.
Tycho Andersen [Wed, 11 May 2016 13:51:11 +0000 (07:51 -0600)]
c/r: add an option to use faster inotify support in CRIU
The idea here is that criu can use open_by_handle on a configuration which
will preserve inodes on moves across hosts, but shouldn't do that on
configurations which won't preserve inodes. Before, we forced it to always
be slow, but we don't have to do this.
Tycho Andersen [Fri, 6 May 2016 18:19:16 +0000 (18:19 +0000)]
c/r: rearrange things to pass struct migrate_opts all the way down
If we don't do this, we'll end up changing the function signatures for the
internal __criu_* functions each time we add a new parameter, which will
get very annoying very quickly. Since we already have the user's arguments
struct, let's just pass that all the way down.
Stewart Brodie [Tue, 10 May 2016 12:57:00 +0000 (13:57 +0100)]
Allow configuration file values to be quoted
If the value starts and ends with matching quote characters, those
characters are stripped automatically. Quote characters are the
single quote (') or double quote ("). The quote removal is done after
the whitespace trimming.
This is needed particularly in order that lxc.environment values may
have trailing spaces. However, the quote removal is done for all values
in the parse_line function, as it has non-const access to the value.
Signed-off-by: Stewart Brodie <stewart@metahusky.net>
gentoo.moresecure.conf tries to drop the capability CAP_SYS_RESOURCES.
However, that capability doesn't exist, so the container doesn't start.
Change it to CAP_SYS_RESOURCE, according to capabilities(7).
Also correct the same typo in a comment in slackware.common.conf.
Aron Podrigal [Sun, 1 May 2016 15:06:53 +0000 (11:06 -0400)]
Fixed - set PyErr when Container.__init__ fails
When container init failed for whatever reason, previously it resulted
in a `SystemError: NULL result without error in PyObject_Call`
This will now result in a RuntimeError with the error message
previously printed to stderr.
Leonid Isaev [Thu, 21 Apr 2016 19:20:39 +0000 (13:20 -0600)]
Initialize a pointer in split_init_cmd() to avoid gcc warnings
gcc -Wall warns about uninitialized variables (-Wmaybe-uninitialized), and
-Werror makes it fatal. This change allows the build to succeed by NULL'ifying
the pointer passed to strtok_r().
Note that strtok_r(3) anyway ignores a non-NULL arg3 pointer on the 1st call
with non-NULL arg1 string.
Signed-off-by: Leonid Isaev <leonid.isaev@jila.colorado.edu> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
don't make sysv init scripts dependant on distribution specifics
- /etc(/rc.d)?/init.d/functions does not exist on all distributions
- LSB does not define a message function without an explicit status
- Debian-derived systems add a log_daemon_msg for that
lets define an own log_daemon_msg as echo and try to load LSB init
functions afterwards, which might overload it with a nicer version
that way the init scripts should work on any system, without hard
dependencies on neither LSB nor /etc/init.d/functions
pty logging only works correctly when stdout and stderr refer to a pty. If they
do not, we do not dup2() them and lxc_console_cb_con() will never write to the
corresponding log file descriptor.
When redirection on stdout and stderr is used we can safely assume that the user
is already logging to a file or /dev/null and creating an additional pty log
doesn't seem to make sense.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
cgfsng: don't require that systemd subsystem be mounted
Note that is_crucial_subsystem still lists name=systemd. That is
used in cgfs and cgmanager. Cgmanager is typically setup to create
name=systemd, so it is ok. cgfs uses is_crucial_subsystem() only
to decide whether failure to create or chown a directory should be
terminal. That's ok, because (a) if name=systemd is not mounted then
we won't hit that, and (b) if name=systemd is mounted, then we'd
really still like to set it up for containers.
nicer date format and support for SOURCE_DATE_EPOCH in LXC_GENERATE_DATE
Using $(date) for LXC_GENERATE_DATE has various flaws:
* formating depends on the locale of the system we execute configure on
* the output is not really a date but more a timestamp
Let's use $(date --utc '+%Y-%m-%d') instead.
While at it, also support SOURCE_DATE_EPOCH [1] to make the build
reproducible
The current tests for lxc-attach pty allocation and I/O redirection rely on the
standard file descriptors of the test script to refer to a pty. If they do not
the tests are effectively useless with respect to pty allocation. We need a test
environment with the standard file descriptors refering to a pty as well. One
solution is to run this test under the script command.
This commit also adds a test whether pty logging works. This test is only
executed when all standard file descriptors refer to a pty.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
cgfsng: defer to cgfs if needed subsystems are not available
This requires us to check that at cgfsng_ops_init, rather than
cgfs_init. Cache the hierarchy and cgroup.use info globally
rather than putting it into the per-container info, as cgmanager
does. This is ok as both cgroup.use and the list of usable
hierarchies are in fact global to a lxc run.
projects / thirdparty / lxc.git / log
