Greg Kurz [Thu, 5 Jan 2012 22:34:46 +0000 (23:34 +0100)]
lxc: line buffered output for lxc-monitor
A typical usage is to start lxc-monitor in popen() and parse the ouput.
Unfortunately, glibc defaults to block buffering for pipes and you may
have to wait several lines before anything is written to stdout... this
prevent the use of lxc-monitor to implement automatons. Let's go line
buffered !
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge Hallyn [Thu, 5 Jan 2012 22:34:46 +0000 (23:34 +0100)]
ubuntu template: use -updates and -security (v3)
Particularly for LTS releases, which many people will want to use in
their containers, it is not wise to not use release-security and
release-updates. Furthermore the fix allowing ssh to allow the container
to shut down is in lucid-updates only.
With this patch, after debootstrapping a container, we add -updates and
-security to sources.list and do an upgrade under chroot. Unfortunately
we need to do this because debootstrap doesn't know how to.
Changelog:
Nov 14: as Stéphane Graber suggested, make sure no daemons start on
the host while doing dist-upgrade from chroot.
Nov 15: use security.ubuntu.com, not mirror. (stgraber)
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Christian Seiler [Tue, 15 Nov 2011 17:53:53 +0000 (18:53 +0100)]
Set high byte of mac addresses for host veth devices to 0xfe
When used in conjunction with a bridge, veth devices with random addresses
may change the mac address of the bridge itself if the mac address of the
interface newly added is numerically lower than the previous mac address
of the bridge. This is documented kernel behavior. To avoid changing the
host's mac address back and forth when starting and/or stopping containers,
this patch ensures that the high byte of the mac address of the veth
interface visible from the host side is set to 0xfe.
A similar logic is also implemented in libvirt.
Fixes SF bug #3411497
See also: <http://thread.gmane.org/gmane.linux.kernel.containers.lxc.general/2709>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Greg Kurz [Thu, 10 Nov 2011 08:41:46 +0000 (09:41 +0100)]
lxc: use -iquote instead of -I
To avoid name collisions between local and system header
files. For example, if you try to include the <pty.h>
system file, you end up including the one from lxc...
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Tuomas Suutari [Fri, 28 Oct 2011 21:55:38 +0000 (23:55 +0200)]
lxc-fedora.in: Fix fetching of the fedora-release rpm
The hardcoded URL seems to be broken and 404 error was not
checked. Now the mirror is selected from mirrorlist (instead of
hardcoding to funet.fi) and fetch errors are checked.
Also added a retry loop (with 3 tries) to find a working mirror, since
some of the mirrors are not OK.
Signed-off-by: Tuomas Suutari <tuomas.suutari@gmail.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Greg Kurz [Mon, 24 Oct 2011 12:56:30 +0000 (14:56 +0200)]
lxc: introduce lxc_execute()
This patch allows to create application containers with liblxc.so directly.
Some code cleanups on the way:
- separate ops for lxc_execute() and lxc_start(): the factorisation is wrong
here as we may have specific things to do if we're running an application
container. It deserves separate ops.
- lxc_arguments_dup() is merged in the pre-exec operation: this is a first
use for the execute op introduced just above. It's better to build the
arguments to execvp() where they're really used.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Cc: Cedric Le Goater <clg@fr.ibm.com>
Rainer Weikusat [Mon, 24 Oct 2011 12:47:58 +0000 (14:47 +0200)]
Don't list containers w/ active console sessions multiple times
The lxc-ls shell script uses netstat -xa to get a listing of AF_UNIX
sockets it then parses in order to determine the names of presently
running containers. This is wrong because it will list the
listening socket and all sockets created by accepting connections on
that. This causes the script to display the names of containers with
active lxc-console sessions 1 + n times, n being the number of active
console sessions. The patch below fixes this by using netstat -xl
instead which only displays the listening sockets.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Mon, 24 Oct 2011 12:38:30 +0000 (14:38 +0200)]
Accurately detect whether a system supports clone_children
If multiple cgroups are mounted under /sys/fs/cgroup, then the
original check ends up looking for /sys/fs/cgroup/cgroup.clone_children,
which does not exist because that is just a tmpfs.
So make sure to check an actual cgroupfs.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Mon, 24 Oct 2011 12:38:30 +0000 (14:38 +0200)]
Let sshd template work on ubuntu systems.
/dev/shm is a symlink to /run/shm, so we need /run/shm
to exist in the container rootfs. Also, /dev/mqueue does
not exist on the host, and can't be created by the container.
But we don't really need it so ignore that.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Mon, 24 Oct 2011 12:38:30 +0000 (14:38 +0200)]
ubuntu template: disallow cap_sys_module (by popular demand)
This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
We think it's better for now to only warn the user about a fd leaking into
the container. Also remove the call to readlink() as it isn't really useful
now: since the container will start anyway, the user can look into /proc/../fd
or use lsof or whatever.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Greg Kurz [Tue, 13 Sep 2011 13:08:04 +0000 (15:08 +0200)]
fixes for rpmbuild
This patch fixes some makefile/specfile issues when running
rpmbuild with the distributed lxc specfile:
- fixes usage of installation directories for config files,
rootfs, templates and lxc-init so that they're calculated
at make time instead of configure time. Thanks to this,
all installed items go under $RPM_BUILD_ROOT when running
rpmbuild
- introduce --disable-rpath option to configure to avoid
check-rpaths errors when building non-root.
- introduce a lxc-libs package in the default spec file
to allow concurrent installation of 32 bit and 64 bit
libraries.
v2: - fix circular reference in lxc.pc
- ship lxc.pc with lxc-devel
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
For veth and macvlan networks, this can look up the host address on the
bridge (link) interface and add a default route on the guest to that
address. This facilitates a typical setup where guests are bridged
together.
syntax:
lxc.ipv4.gateway = auto
lxc.ipv6.gateway = auto
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 11 Aug 2011 15:54:57 +0000 (17:54 +0200)]
lxc-ps : fix the container name search
We don't have to check for the cgroup namespace name because the
pid we are looking for is already in the list of the container owned by
lxc and retrieved from the abstract socket command name.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
Silence lxc-unshare warning when removing cgroup
If ns cgroup is mounted, then when lxc-unshare runs, the kernel automatically
creates a new cgroup for the task. So lxc-unshare tries to delete it. But
if ns cgroup is not mounted, that cgroup does not get created, and now
lxc-unshare spits an error.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Forwarded: no
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
make lxc-netstat work when /etc/mtab is not /proc/mounts
like lxc-ps and lxc-ls, lxc-netstat breaks if there is not an 'lxc' cgroup
mount and /etc/mtab is not a link to /proc/mounts.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Forwarded: no
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Tue, 9 Aug 2011 14:51:01 +0000 (16:51 +0200)]
fix lxc-ls with mtab != /proc/mounts
The cgroup mounts created by cgroup-bin do not show up in /etc/mtab.
lxc-ls, as lxc-ps before it, assumes that /etc/mtab is symlinked to
/proc/mounts.
Author: Serge Hallyn <serge.hallyn@canonical.com>
Forwarded: no
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Sun, 7 Aug 2011 10:25:07 +0000 (12:25 +0200)]
Use container's /run/utmp if it exists
If /var/run is a symlink to /run in the container, then opening
/proc/<pid>/root/var/run/utmp will end up opening the host's utmp.
Therefore the hack detecting shutdown through utmp fails.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
When '-b user' is specified to lxc-ubuntu container creation template, do
not automatically add all the groups of which user is a member on the host,
to user's groups in the container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-ubuntu: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
Note - I messed up. This was applied upstream, but I dropped it in
subsequent conversion to lxc-ubuntu template. It therefore needs to
be reapplied.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
cgroups: support cgroups mounted in multiple places (v3)
(sorry for the extra traffic.)
With this patch, lxc works for me both with all cgroups mounted with
ns cgroup on /cgroup, and with libcgroup mounting all cgroups
separately.
To do this, instead of looking for one cgroup called 'lxc' or
otherwise taking the first cgroup we find, we actually create a
container in every mounted cgroup fs. Right now it's done under the
root of each fs. We may want to put that under lxc, or, better yet,
make that configurable.
Changelog:
Michael H. Warfield: Handle the case where subsystem doesn't have '.'.
Daniel Lezcano: clean up incorrect reentrant use of mntent helpers
v3: use the rest of Daniel's cleanups
TODO: add a configurable directory name, 'lxc' by default, under which
all lxc cgroups are created (i.e. /sys/fs/cgroup/lxc)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Tested-by: Michael H. Warfield <mhw@WittsEnd.com>
The good news is, starting with next openSUSE release (and next SLES 11
Service Pack), patching /etc/init.d/boot won't be needed anymore for
LXC, we integrated detection of LXC (through container variable set to
lxc) in /etc/init.d/boot and /dev is no longer mounted automatically by
initscript.
Signed-off-by: Frederic Crozat <fcrozat@suse.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge Hallyn [Sat, 25 Jun 2011 13:17:47 +0000 (15:17 +0200)]
consolidate ubuntu templates
Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu'
template.
Add support for specifying architecture.
Add support for '--trim|-x' option, which removes services like the lucid
template used to. This creates smaller, faster-booting containers, but they
will not be safe with certain upgrades, like mountall or udev. When -x is
not specified for lucid or maverick container, then install lxcguest from
the ubuntu-virt ppa, since it does not exist in the official archives, and
the container is not safe to boot without lxcguest.
Add support for '--bindhome <user>' option, which will cause /home/<user>
to be bind-mounted into the container, and create the user with his
original password, shell, and group memberships in the container.
changelog:
june 23:
lxc-ubuntu template: set lxc.arch in config
install lxcguest when NOT trimming the container
lxc-ubuntu: always install lxcguest in postprocess
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Thu, 23 Jun 2011 22:42:24 +0000 (00:42 +0200)]
Add lxc-clone script
Create an lxc-clone script to clone containers. It should probably
be factored into helpers and then enhanced, in particular to convert
between LVM and non-LVM containers, create non-snapshot LVM clones,
support loopback devices, and, when stable enough, to use
overlayfs, btrfs, etc.
But this is a start.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 2 Jun 2011 07:50:38 +0000 (09:50 +0200)]
set close-on-exec flag on command socket
When we accept a connection, we have to set the close-on-exec flag,
otherwise that won't be possible to reboot a container through a
lxc-console command.
Reported-by: Katoh Yasufumi <karma@jazz.email.ne.jp> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Cedric Le Goater [Fri, 20 May 2011 09:37:16 +0000 (11:37 +0200)]
lxc: don't install setns.h
'setns.h' is not an lxc interface.
Also, a side effect of this declaration of 'setns.h' in the lxc header
files is to be distributed in the lxc tarball. This breaks the
lxc-attach command because the file is not automatically generated at
compile time.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 13 May 2011 20:29:34 +0000 (22:29 +0200)]
ignore non-lxc configuration line
We ignore the line of in the configuration file not beginning by "lxc."
So we can mix the configuration file with another information used for
another component through the lxc library.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 6 May 2011 23:33:33 +0000 (01:33 +0200)]
templates: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Serge E. Hallyn [Fri, 6 May 2011 23:33:33 +0000 (01:33 +0200)]
templates: don't put devpts in $confdir/container/fstab
src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab
entry, which is getting processed first, did not specify -o newinstance.
This can cause the host's devpts entry mount options to change, as in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636.
I believe the lenny, fedora, and debian templates also will need an
update.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Greg Kurz [Wed, 6 Apr 2011 11:41:44 +0000 (13:41 +0200)]
lxc: default log appender on stderr
The default appender for logs is currently the file one: this
make macros from log.h unusable as long as lxc_log_init() hasn't
been called. This prevents errors from even being printed on
stderr in lxc_caps_init() for example.
Let's make stderr the default appender.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Michel Normand [Tue, 15 Mar 2011 19:19:07 +0000 (20:19 +0100)]
lxc-* tools are vulnerable for arguments with spaces
this is related to the bug
http://sourceforge.net/tracker/?func=detail&aid=3113612&group_id=163076&atid=826303
that suggested to modify bash lxc script to properly use "$@" in place of "$*"
Signed-off-by: Michel Normand <michel.mno@free.fr> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc_cgroup_path_get currently cache the cgroup mount point plus the
container name at the same time, making every call of the function
returning the same value.
It mean that actually every call to lxc_cgroup_get with a different
container name will in fact use the same container name as used for
the primary call.
I join a patch to fix that, still doing some caching, but only caching
the cgroup moint point this time. This patch actually work for me, as
I am using the liblxc for retrieving statistics about all running
containers, using lxc_cgroup_get to retrieve every interesting values.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
projects / thirdparty / lxc.git / log
