Tycho Andersen [Fri, 26 Aug 2016 20:29:45 +0000 (16:29 -0400)]
c/r: write status only after trying to parse the pid
Previously, we write a "success" status but tried to parse the pid. This
meant that we wouldn't notice a successful restore but failure to parse the
pid, which was a little strange.
We still don't know the child pid, so we will end up with a restored
process tree and a running container, but at least in this case the API
will return false indicating that something failed.
We could kill(-1, 9) in this case, but since liblxc runs as root sometimes
(e.g. LXD), that would be a Very Bad Thing.
Tycho Andersen [Fri, 26 Aug 2016 16:07:19 +0000 (16:07 +0000)]
c/r: use /proc/self/tid/children instead of pidfile
All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).
In any case, we can just read /proc/self/tid/children, which lists the
child process.
Elan Ruusamäe [Sat, 20 Aug 2016 13:51:04 +0000 (16:51 +0300)]
templates: add PLD Linux support
from pld-linux repo:
https://github.com/pld-linux/lxc/commits/auto/th/lxc-2.0.4-1/lxc-pld.in.sh
https://github.com/pld-linux/lxc/commits/auto/th/lxc-2.0.4-1/lxc-pld.patch
James Cowgill [Mon, 15 Aug 2016 16:09:44 +0000 (16:09 +0000)]
seccomp: Implement MIPS seccomp handling
MIPS processors implement 3 ABIs: o32, n64 and n32 (similar to x32). The kernel
treats each ABI separately so syscalls disallowed on "all" arches should be
added to all three seccomp sets. This is implemented by expanding compat_arch
and compat_ctx to accept two compat architectures.
After this, the MIPS hostarch detection code and config section code is added.
Signed-off-by: James Cowgill <james410@cowgill.org.uk>
This also changes the help exit status of lxc-unshare and lxc-usernsexec. So
far they did exit(EXIT_FAILURE) whereas all other tools do exit(EXIT_SUCCESS).
Let's align them with the rest of the tools. This should be safe to do.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
Stéphane Graber [Wed, 17 Aug 2016 19:42:34 +0000 (15:42 -0400)]
Use full GPG fingerprint instead of long IDs.
With how easy it is to create a collision on a short ID nowadays and
given that the user doesn't actually have to remember or manually enter
the key ID, lets just use the full fingerprint from now on.
- Assume that the module name is "overlay" per default and not "overlayfs".
- Assume that the overlay version we are using requires a workdir.
- When we mount an overlay filesystem and we fail with ENODEV retry once with
the module name we haven't already used.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
So far we accidently used close() on the original file descriptor. (After
fdopen() the original fd is considered private and should not be used anymore.
The close operations should be performed on the new file handle. We did the
correct thing on error but not on success.) Using close() on the original fd
caused "Text file busy" errors and prevented the cloned tmpfs container from
starting.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
So far we've simply been using RUNTIME_PATH for the privileged and unprivileged
case. We should actually use XDG_RUNTIME_DIR for the unprivileged case.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
When a container c is on a btrfs filesystem but is directory backed, copying
the container will default to snapshot. This is because of
should_default_to_snapshot() returning true in this case because c is on a
btrfs filesystem. We should make sure that should_default_to_snapshot() only
returns true, when c itself is a btrfs subvolume.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
KATOH Yasufumi [Fri, 12 Aug 2016 08:29:55 +0000 (17:29 +0900)]
doc: Update Japanese lxc-attach(1)
* Add undocumented options (-v/--set-var, --keep-var, -f/--rcfile)
* Change order of option in SYNOPSIS (-L that is placed after "command")
* Add long options in SYNOPSIS
KATOH Yasufumi [Fri, 12 Aug 2016 08:04:15 +0000 (17:04 +0900)]
doc: Update lxc-attach(1)
* Add undocumented options (-v/--set-var, --keep-var, -f/--rcfile)
* Change order of option in SYNOPSIS (-L that is placed after "command")
* Add long options in SYNOPSIS
Otherwise a container with a non-standard configuration file
can be started but not attached to.
Fixes the following case:
# lxc-start -n ct -f /different/path/my.config
# lxc-attach -n ct
Error: container ct is not defined
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Add a new logger: syslog and Print the VM name in the logs
To activate it specify lxc.syslog = <afacility>
For now the available facilities are: daemon, local[0-7] others will be
rejected
syslog got only activated after the function that checks for inheritance
of fd is passed in order to make sure the syslog fd is not inherited
and prevent the creation of the fd is any log have been issued during
the checks (which would end up in an infinite loop)
Signed-off-by: Fatih ACAR <fatih.acar@gandi.net> Signed-off-by: Ahmed Amamou <ahmed@gandi.net> Signed-off-by: Baptiste Daroussin <bapt@gandi.net> Signed-off-by: William Dauchy <william@gandi.net>
This fixes a double free corruption on container-requested
reboots when lxc_spawn() fails before receiving the ttys, as
lxc_fini() (part of __lxc_start()'s cleanup) calls
lxc_delete_tty().
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
lxc-checkpoint will fail because process createdy by lxc-attach has
incorrect cgroup ns. It needs to use "setns" instead of "unshare"
to set cgroup ns.
bdev/bdev.c: In function 'detect_fs':
bdev/bdev.c:686:2: error: implicit declaration of function 'getline' [-Werror=implicit-function-declaration]
while (getline(&line, &linelen, f) != -1) {
^
Signed-off-by: Christian Brauner <cbrauner@suse.de>
projects / thirdparty / lxc.git / log
