Serge Hallyn [Thu, 1 Nov 2012 21:27:03 +0000 (22:27 +0100)]
Add lxc.autodev
Add a container config option to mount and populate /dev in a container.
We might want to add options to specify a max size for /dev other than
the default 100k, and to specify other devices to create. And maybe
someone can think of a better name than autodev.
Changelog: Don't error out if we couldn't mknod a /dev/ttyN.
Changelog: Describe the option in lxc.conf manpage.
Natanael Copa [Fri, 16 Nov 2012 16:01:55 +0000 (17:01 +0100)]
lxc-create: use posix shell instead of bash
- use '[ -x /path/prog ]' instead of 'type /path/prog'
- avoid getopt --longoptions
- add \ at after && and || when those are at end of line
- make sure condition expands to empty string if variable is empty
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Mon, 12 Nov 2012 21:20:53 +0000 (16:20 -0500)]
lxc-ls: Don't exit 1 when no container or help
lxc-ls is currently exiting with return code 1 when called with --help
or when called on a system without containers.
This behaviour isn't documented in the manpage and isn't terribly intuitive.
It's been the source of quite a few weird failures in scripts running with
set -e.
As a user calling --help is a voluntary action, lxc-ls should exit 0.
Also, as lxc-ls's goal is solely to list containers, showing an error and
exiting with return code 1 when there's no container seems counter-intuitive
and error-prone.
Stéphane Graber [Mon, 12 Nov 2012 20:38:50 +0000 (15:38 -0500)]
Detect which name to use for docbook2x-man
docbook2x-man doesn't have the same name on Debian based systems as
on RedHat based systems, add some magic to configure.ac to detect and
substitute the proper name in Makefile.am
Peter Simons [Sat, 20 Oct 2012 09:47:22 +0000 (11:47 +0200)]
Update documentation to Docbook 4.5
The package 'docbook-tools' [1] required to format Docbook 3.0 into man pages
has been obsoleted a long time ago and can no longer be downloaded from its
former homepage. Recent versions of that package -- now called 'docbook2X' --,
cannot deal with that old markup format anymore (and don't support the '-w all'
command line switch either). To remedy these issues, all SGML files have been
updated to Docbook 4.5 so that recent versions of docbook2man can process them.
Stéphane Graber [Mon, 12 Nov 2012 19:39:43 +0000 (14:39 -0500)]
Fix check against LXCROOTFSMOUNT to use strcmp
The check for conf->rootfs.mount not being equal to LXCROOTFSMOUNT
wasn't done with strcmp which was leading to undefined behaviour
and triggered gcc warnings.
Dwight Engen [Thu, 25 Oct 2012 17:46:34 +0000 (13:46 -0400)]
Reinstate README file in rootfs directory
Change 5fd8314f removed the README file explaining why the
rootfs directory has to exist. Doing so broke the build on
Fedora 17 since this directory will not be created by make
install and thus the spec file cannot find it.
Peter Simons [Sat, 20 Oct 2012 09:47:22 +0000 (11:47 +0200)]
Update documentation to Docbook 4.5
The package 'docbook-tools' [1] required to format Docbook 3.0 into man pages
has been obsoleted a long time ago and can no longer be downloaded from its
former homepage. Recent versions of that package -- now called 'docbook2X' --,
cannot deal with that old markup format anymore (and don't support the '-w all'
command line switch either). To remedy these issues, all SGML files have been
updated to Docbook 4.5 so that recent versions of docbook2man can process them.
Dwight Engen [Wed, 17 Oct 2012 17:28:27 +0000 (13:28 -0400)]
Add distro config file /etc/lxc/lxc.conf
This allows a distro to put the distro specific default network
configuration (for example bridge device, link type), or other lxc
configuration in the case that -f is not passed by the user to
lxc-create, in which case lxc-create will use the distro conf file as
the basis for the containers config.
Dwight Engen [Mon, 15 Oct 2012 13:42:26 +0000 (09:42 -0400)]
Honor network type and link from lxc-create -f
Make the oracle template honor the lxc.network.type and
lxc.network.link configuration items if a "base" configuration file is
passed to lxc-create. If no configuration file is passed and the host
system is Oracle or Fedora, the template assumes a type of veth and
the default name created by libvirt.
Dwight Engen [Mon, 15 Oct 2012 13:42:02 +0000 (09:42 -0400)]
Better rpm database downgrade logic
Use the file command to see if the rpm database version needs to
be downgraded. Use the lsb_release command to determine the host
system, which is then used to set the commands needed to do the
conversion, and lets us move the rpm database to the correct location
if the host rpm doesn't put it where the guest expects it to be.
Serge Hallyn [Fri, 5 Oct 2012 21:40:21 +0000 (16:40 -0500)]
add oracle template (From: Dwight Engen)
This is a new template to create containers based on Oracle Linux. A version
such as 5.8, 6.3, or 6.latest can be specified with -R in which case a rootfs
will be created from rpms downloaded from the Oracle public-yum repo.
Alternatively the path to an existing rootfs of Oracle 5 or 6 may be given to
the template with the -t option.
The architecture of the downloaded rpms installed in the container can be
specified with the -a template option.
The script used to contain a workaround for back when create()
wouldn't properly flush the config and reload it.
As these issues have now been fixed, these workarounds can be removed.
fix expansion of LXCPATH,LXCROOTFSMOUNT,LXCTEMPLATEDIR
These variables are not expanded correctly in doc/lxc-create.sgml.in
and a workaround is in place to ensure ${localstatedir}, and ${datadir}
are set in the various shell scripts that use it. There is no workaround
to ensure ${datadir} is set in src/lxc/lxc-create.in, nor is
${localstatedir} set in templates/lxc-altlinux.in so I think that these
are currently broken.
Using AS_AC_EXPAND instead of AC_SUBST fixes these problems and removes
the need for the workarounds. In addition the lxc-start-ephemeral.in
script can be autoconf'ed instead of sed'ed by the makefile.
This commit adds lxc-start-ephemeral as a python script using the
new python-lxc API.
This script is somewhat similar to lxc-clone except that it uses
overlayfs or aufs to provide an overlay on top of the source container.
It also allows the user to directly run a command in the container using
SSH and can fetch the IP address from the container when starting the
container in the background.
The initial work on lxc-start-ephemeral was done by Serge Hallyn in Ubuntu,
this is a re-implementation of it using python and the new LXC hooks.
Compared to the shell implementation, there are three notable differences:
- When starting without a command, lxc-start-ephemeral now attaches to tty1
- When starting in the background (-d), the name and IP of the container is
shown on screen.
- A new "-k" option is added, allowing the user to keep the ephemeral
container after shutdown. This turns off the tmpfs backend and sets up the
hooks so that the container can be started/stopped multiple times.
This code was addeed to deal with stopped/dead containers but
really shouldn't be implemented there. Instead the setsid() call in
start() should be enough to prevent python from getting the SIGCHLD and
having to deal with it.
Serge Hallyn [Fri, 31 Aug 2012 17:25:38 +0000 (12:25 -0500)]
Add lxc.hook.pre-mount
This happens in the container's namespace, but before the rootfs is
setup and mounted. This gives us a chance to mangle the rootfs - i.e.
ecryptfs-mount it.
Stéphane Graber [Wed, 29 Aug 2012 16:27:53 +0000 (09:27 -0700)]
Add lxc.aa_profile example to all templates
LXC has optional apparmor support, default profile is lxc-container-default.
This change adds a commented "lxc.aa_profile = default" line to all templates,
uncommenting this will bypass apparmor for the container.
Stéphane Graber [Mon, 27 Aug 2012 22:53:00 +0000 (18:53 -0400)]
Merge the liblxc API work by Serge Hallyn.
This turns liblxc into a public library implementing a container structure.
The container structure is meant to cover most LXC commands and can easily be
used to write bindings in other programming languages.
More information on the new functions can be found in src/lxc/lxccontainer.h
Test programs using the API can also be found in src/tests/
Christian Seiler [Tue, 21 Aug 2012 22:03:16 +0000 (00:03 +0200)]
lxc-attach: Add -R option to remount /sys and /proc when only partially attaching
When attaching to only some namespaces of the container but not the mount
namespace, the contents of /sys and /proc of the host system do not properly
reflect the context of the container's pid and/or network namespaces, and
possibly others.
The introduced -R option adds the possibility to additionally unshare the
mount namespace (when it is not being attached) and remount /sys and /proc
in order for those filesystems to properly reflect the container's context
even when only attaching to some of the namespaces.
Signed-off-by: Christian Seiler <christian@iwakd.de> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Christian Seiler [Tue, 21 Aug 2012 22:03:15 +0000 (00:03 +0200)]
lxc-attach: Add -s option to select namespaces to attach to
This patch allows the user to select any list of namespaces (network, pid,
mount, uts, ipc, user) that lxc-attach should use when attaching to the
container; all other namespaces will not be attached to.
This allows the user to for example attach to just the network namespace and
use the host's (and not the container's) network tools to reconfigure the
network of the container.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:14 +0000 (00:03 +0200)]
lxc-unshare: Move functions to determine clone flags from command line options to namespace.c
In order to be able to reuse code in lxc-attach, the functions
lxc_namespace_2_cloneflag and lxc_fill_namespace_flags are moved from
lxc_unshare.c to namespace.c.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:13 +0000 (00:03 +0200)]
lxc-attach: Detect which namespaces to attach to dynamically
Use the command interface to contact lxc-start to receive the set of
flags passed to clone() when starting the container. This allows lxc-attach
to determine which namespaces were used for the container and select only
those to attach to.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:12 +0000 (00:03 +0200)]
lxc-attach: Remodel cgroup attach logic and attach to namespaces again in parent process
With the introduction of lxc-attach's functionality to attach to cgroups,
the setns() calls were put in the child process after the fork() and not the
parent process before the fork() so the parent process remained outside the
namespaces and could add the child to the correct cgroup.
Unfortunately, the pid namespace really affects only children of the current
process and not the process itself, which has several drawbacks: The
attached program does not have a pid inside the container and the context
that is used when remounting /proc from that process is wrong. Thus, the
previous logic of first setting the namespaces and then forking so the child
process (which then exec()s to the desired program) is a real member of the
container.
However, inside the container, there is no guarantee that the cgroup
filesystem is still be mounted and that we are allowed to write to it (which
is why the setns() was moved in the first place).
To work around both problems, we separate the cgroup attach functionality
into two parts: Preparing the attach process, which just opens the tasks
files of all cgroups and keeps the file descriptors open and the writing to
those fds part. This allows us to open all the tasks files in lxc_attach,
then call setns(), then fork, in the child process close them completely and
in the parent process just write the pid of the child process to all those
fds.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Christian Seiler [Tue, 21 Aug 2012 22:03:11 +0000 (00:03 +0200)]
lxc-start: Add command to retrieve the clone flags used to start the container.
Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
when the container was started. This allows external programs to determine
which namespaces the container was unshared from.
Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Serge Hallyn [Tue, 21 Aug 2012 15:11:23 +0000 (10:11 -0500)]
lxc-create: Make location of container rootfs configurable
Make 'dir' an explicit backing store type, which accepts '--dir rootfs'
as an option to specify a custom location for the container rootfs. Also
update lxc-destroy to now remove the rootfs separately, as removing
@LXCPATH@/$name may not hit it.
Jan Kiszka [Mon, 9 Jul 2012 17:15:48 +0000 (19:15 +0200)]
Add network-down script
Analogously to lxc.network.script.up, add the ability to register a down
script. It is called before the guest network is finally destroyed,
allowing to clean up resources that are not reset/destroyed
automatically. Parameters of the down script are identical to the up
script except for the execution context "down".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
projects / thirdparty / lxc.git / log
