Skip to content

L
lxc
Commit c6677625 by Christian Brauner Committed by Stéphane Graber
Options

start, error: improve log + non-functional changes

Improve log and comments in a bunch of places to make it easier for us on bug reports. Signed-off-by: 's avatarChristian Brauner <christian.brauner@canonical.com>
parent 1ba79bfe
Showing with 256 additions and 269 deletions
src/lxc/error.c
...@@ -46,13 +46,12 @@ extern int lxc_error_set_and_log(int pid, int status) ...@@ -46,13 +46,12 @@ extern int lxc_error_set_and_log(int pid, int status)
if (WIFEXITED(status)) { if (WIFEXITED(status)) {
ret = WEXITSTATUS(status); ret = WEXITSTATUS(status);
if (ret) if (ret)
INFO("child <%d> ended on error (%d)", pid, ret); INFO("Child <%d> ended on error (%d).", pid, ret);
} }
if (WIFSIGNALED(status)) { if (WIFSIGNALED(status)) {
int signal = WTERMSIG(status); int signal = WTERMSIG(status);
INFO("Child <%d> ended on signal (%d).", pid, signal);
INFO("child <%d> ended on signal (%d)", pid, signal);
} }
return ret; return ret;
......
src/lxc/start.c
...@@ -108,16 +108,17 @@ static void print_top_failing_dir(const char *path) ...@@ -108,16 +108,17 @@ static void print_top_failing_dir(const char *path)
saved = *p; saved = *p;
*p = '\0'; *p = '\0';
if (access(copy, X_OK)) { if (access(copy, X_OK)) {
SYSERROR("could not access %s. Please grant it 'x' " \ SYSERROR("Could not access %s. Please grant it x "
"access, or add an ACL for the container root.", "access, or add an ACL for the container "
copy); "root.", copy);
return; return;
} }
*p = saved; *p = saved;
} }
} }
static void close_ns(int ns_fd[LXC_NS_MAX]) { static void close_ns(int ns_fd[LXC_NS_MAX])
{
int i; int i;
for (i = 0; i < LXC_NS_MAX; i++) { for (i = 0; i < LXC_NS_MAX; i++) {
...@@ -179,7 +180,7 @@ static int attach_ns(const int ns_fd[LXC_NS_MAX]) { ...@@ -179,7 +180,7 @@ static int attach_ns(const int ns_fd[LXC_NS_MAX]) {
return 0; return 0;
error: error:
SYSERROR("failed to set namespace '%s'", ns_info[i].proc_name); SYSERROR("Failed to attach %s namespace.", ns_info[i].proc_name);
return -1; return -1;
} }
...@@ -188,14 +189,13 @@ static int match_fd(int fd) ...@@ -188,14 +189,13 @@ static int match_fd(int fd)
return (fd == 0 || fd == 1 || fd == 2); return (fd == 0 || fd == 1 || fd == 2);
} }
/* /* Check for any fds we need to close.
* Check for any fds we need to close * - If fd_to_ignore != -1, then if we find that fd open we will ignore it.
* * if fd_to_ignore != -1, then if we find that fd open we will ignore it. * - By default we warn about open fds we find.
* * By default we warn about open fds we find. * - If closeall is true, we will close open fds.
* * If closeall is true, we will close open fds. * - If lxc-start was passed "-C", then conf->close_all_fds will be true, in
* * If lxc-start was passed "-C", then conf->close_all_fds will be true, * which case we also close all open fds.
* in which case we also close all open fds. * - A daemonized container will always pass closeall=true.
* * A daemonized container will always pass closeall=true.
*/ */
int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore) int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore)
{ {
...@@ -209,7 +209,7 @@ int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore) ...@@ -209,7 +209,7 @@ int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore)
restart: restart:
dir = opendir("/proc/self/fd"); dir = opendir("/proc/self/fd");
if (!dir) { if (!dir) {
WARN("failed to open directory: %m"); WARN("Failed to open directory: %m.");
return -1; return -1;
} }
...@@ -239,10 +239,10 @@ restart: ...@@ -239,10 +239,10 @@ restart:
if (closeall) { if (closeall) {
close(fd); close(fd);
closedir(dir); closedir(dir);
INFO("closed inherited fd %d", fd); INFO("Closed inherited fd: %d.", fd);
goto restart; goto restart;
} }
WARN("inherited fd %d", fd); WARN("Inherited fd: %d.", fd);
} }
closedir(dir); /* cannot fail */ closedir(dir); /* cannot fail */
...@@ -254,30 +254,30 @@ static int setup_signal_fd(sigset_t *oldmask) ...@@ -254,30 +254,30 @@ static int setup_signal_fd(sigset_t *oldmask)
sigset_t mask; sigset_t mask;
int fd; int fd;
/* Block everything except serious error signals */ /* Block everything except serious error signals. */
if (sigfillset(&mask) || if (sigfillset(&mask) ||
sigdelset(&mask, SIGILL) || sigdelset(&mask, SIGILL) ||
sigdelset(&mask, SIGSEGV) || sigdelset(&mask, SIGSEGV) ||
sigdelset(&mask, SIGBUS) || sigdelset(&mask, SIGBUS) ||
sigdelset(&mask, SIGWINCH) || sigdelset(&mask, SIGWINCH) ||
sigprocmask(SIG_BLOCK, &mask, oldmask)) { sigprocmask(SIG_BLOCK, &mask, oldmask)) {
SYSERROR("failed to set signal mask"); SYSERROR("Failed to set signal mask.");
return -1; return -1;
} }
fd = signalfd(-1, &mask, 0); fd = signalfd(-1, &mask, 0);
if (fd < 0) { if (fd < 0) {
SYSERROR("failed to create the signal fd"); SYSERROR("Failed to create signal file descriptor.");
return -1; return -1;
} }
if (fcntl(fd, F_SETFD, FD_CLOEXEC)) { if (fcntl(fd, F_SETFD, FD_CLOEXEC)) {
SYSERROR("failed to set sigfd to close-on-exec"); SYSERROR("Failed to set FD_CLOEXEC on the signal file descriptor: %d.", fd);
close(fd); close(fd);
return -1; return -1;
} }
DEBUG("sigchild handler set"); DEBUG("Set SIGCHLD handler with file descriptor: %d.", fd);
return fd; return fd;
} }
...@@ -293,43 +293,44 @@ static int signal_handler(int fd, uint32_t events, void *data, ...@@ -293,43 +293,44 @@ static int signal_handler(int fd, uint32_t events, void *data,
ret = read(fd, &siginfo, sizeof(siginfo)); ret = read(fd, &siginfo, sizeof(siginfo));
if (ret < 0) { if (ret < 0) {
ERROR("failed to read signal info"); ERROR("Failed to read signal info from signal file descriptor: %d.", fd);
return -1; return -1;
} }
if (ret != sizeof(siginfo)) { if (ret != sizeof(siginfo)) {
ERROR("unexpected siginfo size"); ERROR("Unexpected size for siginfo struct.");
return -1; return -1;
} }
// check whether init is running /* Check whether init is running. */
info.si_pid = 0; info.si_pid = 0;
ret = waitid(P_PID, *pid, &info, WEXITED | WNOWAIT | WNOHANG); ret = waitid(P_PID, *pid, &info, WEXITED | WNOWAIT | WNOHANG);
if (ret == 0 && info.si_pid == *pid) { if (ret == 0 && info.si_pid == *pid)
init_died = true; init_died = true;
}
if (siginfo.ssi_signo != SIGCHLD) { if (siginfo.ssi_signo != SIGCHLD) {
kill(*pid, siginfo.ssi_signo); kill(*pid, siginfo.ssi_signo);
INFO("forwarded signal %d to pid %d", siginfo.ssi_signo, *pid); INFO("Forwarded signal %d to pid %d.", siginfo.ssi_signo, *pid);
return init_died ? 1 : 0; return init_died ? 1 : 0;
} }
if (siginfo.ssi_code == CLD_STOPPED || if (siginfo.ssi_code == CLD_STOPPED) {
siginfo.ssi_code == CLD_CONTINUED) { INFO("Container init process was stopped.");
INFO("container init process was stopped/continued"); return init_died ? 1 : 0;
} else if (siginfo.ssi_code == CLD_CONTINUED) {
INFO("Container init process was continued.");
return init_died ? 1 : 0; return init_died ? 1 : 0;
} }
/* more robustness, protect ourself from a SIGCHLD sent /* More robustness, protect ourself from a SIGCHLD sent
* by a process different from the container init * by a process different from the container init.
*/ */
if (siginfo.ssi_pid != *pid) { if (siginfo.ssi_pid != *pid) {
WARN("invalid pid for SIGCHLD"); WARN("Invalid pid for SIGCHLD. Received pid %d, expected pid %d.", siginfo.ssi_pid, *pid);
return init_died ? 1 : 0; return init_died ? 1 : 0;
} }
DEBUG("container init process exited"); DEBUG("Container init process %d exited.", *pid);
return 1; return 1;
} }
...@@ -347,33 +348,33 @@ int lxc_poll(const char *name, struct lxc_handler *handler) ...@@ -347,33 +348,33 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
struct lxc_epoll_descr descr; struct lxc_epoll_descr descr;
if (lxc_mainloop_open(&descr)) { if (lxc_mainloop_open(&descr)) {
ERROR("failed to create mainloop"); ERROR("Failed to create LXC mainloop.");
goto out_sigfd; goto out_sigfd;
} }
if (lxc_mainloop_add_handler(&descr, sigfd, signal_handler, &pid)) { if (lxc_mainloop_add_handler(&descr, sigfd, signal_handler, &pid)) {
ERROR("failed to add handler for the signal"); ERROR("Failed to add signal handler with file descriptor %d to LXC mainloop.", sigfd);
goto out_mainloop_open; goto out_mainloop_open;
} }
if (lxc_console_mainloop_add(&descr, handler->conf)) { if (lxc_console_mainloop_add(&descr, handler->conf)) {
ERROR("failed to add console handler to mainloop"); ERROR("Failed to add console handler to LXC mainloop.");
goto out_mainloop_open; goto out_mainloop_open;
} }
if (lxc_cmd_mainloop_add(name, &descr, handler)) { if (lxc_cmd_mainloop_add(name, &descr, handler)) {
ERROR("failed to add command handler to mainloop"); ERROR("Failed to add command handler to LXC mainloop.");
goto out_mainloop_open; goto out_mainloop_open;
} }
if (handler->conf->need_utmp_watch) { if (handler->conf->need_utmp_watch) {
#if HAVE_SYS_CAPABILITY_H #if HAVE_SYS_CAPABILITY_H
if (lxc_utmp_mainloop_add(&descr, handler)) { if (lxc_utmp_mainloop_add(&descr, handler)) {
ERROR("failed to add utmp handler to mainloop"); ERROR("Failed to add utmp handler to LXC mainloop.");
goto out_mainloop_open; goto out_mainloop_open;
} }
#else #else
DEBUG("not starting utmp handler as cap_sys_boot cannot be dropped without capabilities support"); DEBUG("Not starting utmp handler as CAP_SYS_BOOT cannot be dropped without capabilities support.");
#endif #endif
} }
...@@ -381,8 +382,10 @@ int lxc_poll(const char *name, struct lxc_handler *handler) ...@@ -381,8 +382,10 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
out_mainloop_open: out_mainloop_open:
lxc_mainloop_close(&descr); lxc_mainloop_close(&descr);
out_sigfd: out_sigfd:
close(sigfd); close(sigfd);
return -1; return -1;
} }
...@@ -409,7 +412,7 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char ...@@ -409,7 +412,7 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char
handler->name = strdup(name); handler->name = strdup(name);
if (!handler->name) { if (!handler->name) {
ERROR("failed to allocate memory"); ERROR("Failed to allocate memory.");
goto out_free; goto out_free;
} }
...@@ -417,66 +420,66 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char ...@@ -417,66 +420,66 @@ struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char
goto out_free_name; goto out_free_name;
if (lxc_read_seccomp_config(conf) != 0) { if (lxc_read_seccomp_config(conf) != 0) {
ERROR("failed loading seccomp policy"); ERROR("Failed loading seccomp policy.");
goto out_close_maincmd_fd; goto out_close_maincmd_fd;
} }
/* Begin by setting the state to STARTING */ /* Begin by setting the state to STARTING. */
if (lxc_set_state(name, handler, STARTING)) { if (lxc_set_state(name, handler, STARTING)) {
ERROR("failed to set state '%s'", lxc_state2str(STARTING)); ERROR("Failed to set state for container \"%s\" to \"%s\".", name, lxc_state2str(STARTING));
goto out_close_maincmd_fd; goto out_close_maincmd_fd;
} }
/* Start of environment variable setup for hooks */ /* Start of environment variable setup for hooks. */
if (name && setenv("LXC_NAME", name, 1)) { if (name && setenv("LXC_NAME", name, 1))
SYSERROR("failed to set environment variable for container name"); SYSERROR("Failed to set environment variable: LXC_NAME=%s.", name);
}
if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1)) { if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1))
SYSERROR("failed to set environment variable for config path"); SYSERROR("Failed to set environment variable: LXC_CONFIG_FILE=%s.", conf->rcfile);
}
if (conf->rootfs.mount && setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1)) { if (conf->rootfs.mount && setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1))
SYSERROR("failed to set environment variable for rootfs mount"); SYSERROR("Failed to set environment variable: LXC_ROOTFS_MOUNT=%s.", conf->rootfs.mount);
}
if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1)) { if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1))
SYSERROR("failed to set environment variable for rootfs mount"); SYSERROR("Failed to set environment variable: LXC_ROOTFS_PATH=%s.", conf->rootfs.path);
}
if (conf->console.path && setenv("LXC_CONSOLE", conf->console.path, 1)) { if (conf->console.path && setenv("LXC_CONSOLE", conf->console.path, 1))
SYSERROR("failed to set environment variable for console path"); SYSERROR("Failed to set environment variable: LXC_CONSOLE=%s.", conf->console.path);
}
if (conf->console.log_path && setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1)) { if (conf->console.log_path && setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1))
SYSERROR("failed to set environment variable for console log"); SYSERROR("Failed to set environment variable: LXC_CONSOLE_LOGPATH=%s.", conf->console.log_path);
}
if (setenv("LXC_CGNS_AWARE", "1", 1)) { if (setenv("LXC_CGNS_AWARE", "1", 1))
SYSERROR("failed to set LXC_CGNS_AWARE environment variable"); SYSERROR("Failed to set environment variable LXC_CGNS_AWARE=1.");
} /* End of environment variable setup for hooks. */
/* End of environment variable setup for hooks */
if (run_lxc_hooks(name, "pre-start", conf, handler->lxcpath, NULL)) { if (run_lxc_hooks(name, "pre-start", conf, handler->lxcpath, NULL)) {
ERROR("failed to run pre-start hooks for container '%s'.", name); ERROR("Failed to run lxc.hook.pre-start for container \"%s\".", name);
goto out_aborting; goto out_aborting;
} }
/* the signal fd has to be created before forking otherwise /* The signal fd has to be created before forking otherwise if the child
* if the child process exits before we setup the signal fd, * process exits before we setup the signal fd, the event will be lost
* the event will be lost and the command will be stuck */ * and the command will be stuck.
*/
handler->sigfd = setup_signal_fd(&handler->oldmask); handler->sigfd = setup_signal_fd(&handler->oldmask);
if (handler->sigfd < 0) { if (handler->sigfd < 0) {
ERROR("failed to set sigchild fd handler"); ERROR("Failed to setup SIGCHLD fd handler.");
goto out_delete_tty; goto out_delete_tty;
} }
/* do this after setting up signals since it might unblock SIGWINCH */ /* Do this after setting up signals since it might unblock SIGWINCH. */
if (lxc_console_create(conf)) { if (lxc_console_create(conf)) {
ERROR("failed to create console"); ERROR("Failed to create console for container \"%s\".", name);
goto out_restore_sigmask; goto out_restore_sigmask;
} }
if (ttys_shift_ids(conf) < 0) { if (ttys_shift_ids(conf) < 0) {
ERROR("Failed to shift tty into container"); ERROR("Failed to shift tty into container.");
goto out_restore_sigmask; goto out_restore_sigmask;
} }
INFO("'%s' is initialized", name); INFO("Container \"%s\" is initialized.", name);
return handler; return handler;
out_restore_sigmask: out_restore_sigmask:
...@@ -503,8 +506,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler) ...@@ -503,8 +506,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
char *namespaces[LXC_NS_MAX+1]; char *namespaces[LXC_NS_MAX+1];
size_t namespace_count = 0; size_t namespace_count = 0;
/* The STOPPING state is there for future cleanup code /* The STOPPING state is there for future cleanup code which can take
* which can take awhile * awhile.
*/ */
lxc_set_state(name, handler, STOPPING); lxc_set_state(name, handler, STOPPING);
...@@ -513,7 +516,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler) ...@@ -513,7 +516,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
rc = asprintf(&namespaces[namespace_count], "%s:/proc/%d/fd/%d", rc = asprintf(&namespaces[namespace_count], "%s:/proc/%d/fd/%d",
ns_info[i].proc_name, self, handler->nsfd[i]); ns_info[i].proc_name, self, handler->nsfd[i]);
if (rc == -1) { if (rc == -1) {
SYSERROR("failed to allocate memory"); SYSERROR("Failed to allocate memory.");
break; break;
} }
++namespace_count; ++namespace_count;
...@@ -521,15 +524,14 @@ void lxc_fini(const char *name, struct lxc_handler *handler) ...@@ -521,15 +524,14 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
} }
namespaces[namespace_count] = NULL; namespaces[namespace_count] = NULL;
if (handler->conf->reboot && setenv("LXC_TARGET", "reboot", 1)) { if (handler->conf->reboot && setenv("LXC_TARGET", "reboot", 1))
SYSERROR("failed to set environment variable for stop target"); SYSERROR("Failed to set environment variable: LXC_TARGET=reboot.");
}
if (!handler->conf->reboot && setenv("LXC_TARGET", "stop", 1)) { if (!handler->conf->reboot && setenv("LXC_TARGET", "stop", 1))
SYSERROR("failed to set environment variable for stop target"); SYSERROR("Failed to set environment variable: LXC_TARGET=stop.");
}
if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, namespaces)) if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, namespaces))
ERROR("failed to run stop hooks for container '%s'.", name); ERROR("Failed to run lxc.hook.stop for container \"%s\".", name);
while (namespace_count--) while (namespace_count--)
free(namespaces[namespace_count]); free(namespaces[namespace_count]);
...@@ -548,17 +550,18 @@ void lxc_fini(const char *name, struct lxc_handler *handler) ...@@ -548,17 +550,18 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
lxc_set_state(name, handler, STOPPED); lxc_set_state(name, handler, STOPPED);
if (run_lxc_hooks(name, "post-stop", handler->conf, handler->lxcpath, NULL)) { if (run_lxc_hooks(name, "post-stop", handler->conf, handler->lxcpath, NULL)) {
ERROR("failed to run post-stop hooks for container '%s'.", name); ERROR("Failed to run lxc.hook.post-stop for container \"%s\".", name);
if (handler->conf->reboot) { if (handler->conf->reboot) {
WARN("Container will be stopped instead of rebooted."); WARN("Container will be stopped instead of rebooted.");
handler->conf->reboot = 0; handler->conf->reboot = 0;
setenv("LXC_TARGET", "stop", 1); if (setenv("LXC_TARGET", "stop", 1))
WARN("Failed to set environment variable: LXC_TARGET=stop.");
} }
} }
/* reset mask set by setup_signal_fd */ /* Reset mask set by setup_signal_fd. */
if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL))
WARN("failed to restore sigprocmask"); WARN("Failed to restore signal mask.");
lxc_console_delete(&handler->conf->console); lxc_console_delete(&handler->conf->console);
lxc_delete_tty(&handler->conf->tty_info); lxc_delete_tty(&handler->conf->tty_info);
...@@ -584,16 +587,17 @@ void lxc_abort(const char *name, struct lxc_handler *handler) ...@@ -584,16 +587,17 @@ void lxc_abort(const char *name, struct lxc_handler *handler)
lxc_set_state(name, handler, ABORTING); lxc_set_state(name, handler, ABORTING);
if (handler->pid > 0) if (handler->pid > 0)
kill(handler->pid, SIGKILL); kill(handler->pid, SIGKILL);
while ((ret = waitpid(-1, &status, 0)) > 0) ; while ((ret = waitpid(-1, &status, 0)) > 0) {
;
}
} }
#include <sys/reboot.h> #include <sys/reboot.h>
#include <linux/reboot.h> #include <linux/reboot.h>
/* /* reboot(LINUX_REBOOT_CMD_CAD_ON) will return -EINVAL in a child pid namespace
* reboot(LINUX_REBOOT_CMD_CAD_ON) will return -EINVAL * if container reboot support exists. Otherwise, it will either succeed or
* in a child pid namespace if container reboot support exists. * return -EPERM.
* Otherwise, it will either succeed or return -EPERM.
*/ */
static int container_reboot_supported(void *arg) static int container_reboot_supported(void *arg)
{ {
...@@ -624,7 +628,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf) ...@@ -624,7 +628,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
ret = fscanf(f, "%d", &v); ret = fscanf(f, "%d", &v);
fclose(f); fclose(f);
if (ret != 1) { if (ret != 1) {
DEBUG("Failed to read /proc/sys/kernel/ctrl-alt-del"); DEBUG("Failed to read /proc/sys/kernel/ctrl-alt-del.");
return 1; return 1;
} }
cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF; cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
...@@ -641,13 +645,13 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf) ...@@ -641,13 +645,13 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
#endif #endif
if (pid < 0) { if (pid < 0) {
if (flags & CLONE_NEWUSER) if (flags & CLONE_NEWUSER)
ERROR("failed to clone (%#x): %s (includes CLONE_NEWUSER)", flags, strerror(errno)); ERROR("Failed to clone (%#x): %s (includes CLONE_NEWUSER).", flags, strerror(errno));
else else
ERROR("failed to clone (%#x): %s", flags, strerror(errno)); ERROR("Failed to clone (%#x): %s.", flags, strerror(errno));
return -1; return -1;
} }
if (wait(&status) < 0) { if (wait(&status) < 0) {
SYSERROR("unexpected wait error: %m"); SYSERROR("Unexpected wait error: %m.");
return -1; return -1;
} }
...@@ -657,9 +661,8 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf) ...@@ -657,9 +661,8 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
return 0; return 0;
} }
/* /* netpipe is used in the unprivileged case to transfer the ifindexes from
* netpipe is used in the unprivileged case to transfer the ifindexes * parent to child
* from parent to child
*/ */
static int netpipe = -1; static int netpipe = -1;
...@@ -690,7 +693,7 @@ static int read_unpriv_netifindex(struct lxc_list *network) ...@@ -690,7 +693,7 @@ static int read_unpriv_netifindex(struct lxc_list *network)
if (netdev->type != LXC_NET_VETH) if (netdev->type != LXC_NET_VETH)
continue; continue;
if (!(netdev->name = malloc(IFNAMSIZ))) { if (!(netdev->name = malloc(IFNAMSIZ))) {
ERROR("Out of memory"); ERROR("Out of memory.");
close(netpipe); close(netpipe);
return -1; return -1;
} }
...@@ -711,24 +714,24 @@ static int do_start(void *data) ...@@ -711,24 +714,24 @@ static int do_start(void *data)
char path[PATH_MAX]; char path[PATH_MAX];
if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) { if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
SYSERROR("failed to set sigprocmask"); SYSERROR("Failed to set signal mask.");
return -1; return -1;
} }
/* This prctl must be before the synchro, so if the parent /* This prctl must be before the synchro, so if the parent dies before
* dies before we set the parent death signal, we will detect * we set the parent death signal, we will detect its death with the
* its death with the synchro right after, otherwise we have * synchro right after, otherwise we have a window where the parent can
* a window where the parent can exit before we set the pdeath * exit before we set the pdeath signal leading to a unsupervized
* signal leading to a unsupervized container. * container.
*/ */
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0)) { if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0)) {
SYSERROR("failed to set pdeath signal"); SYSERROR("Failed to set PR_SET_PDEATHSIG to SIGKILL.");
return -1; return -1;
} }
lxc_sync_fini_parent(handler); lxc_sync_fini_parent(handler);
/* don't leak the pinfd to the container */ /* Don't leak the pinfd to the container. */
if (handler->pinfd >= 0) { if (handler->pinfd >= 0) {
close(handler->pinfd); close(handler->pinfd);
} }
...@@ -736,21 +739,21 @@ static int do_start(void *data) ...@@ -736,21 +739,21 @@ static int do_start(void *data)
if (lxc_sync_wait_parent(handler, LXC_SYNC_STARTUP)) if (lxc_sync_wait_parent(handler, LXC_SYNC_STARTUP))
return -1; return -1;
/* Unshare CLONE_NEWNET after CLONE_NEWUSER - see /* Unshare CLONE_NEWNET after CLONE_NEWUSER. See
https://github.com/lxc/lxd/issues/1978 */ * https://github.com/lxc/lxd/issues/1978.
*/
if ((handler->clone_flags & (CLONE_NEWNET | CLONE_NEWUSER)) == if ((handler->clone_flags & (CLONE_NEWNET | CLONE_NEWUSER)) ==
(CLONE_NEWNET | CLONE_NEWUSER)) { (CLONE_NEWNET | CLONE_NEWUSER)) {
ret = unshare(CLONE_NEWNET); ret = unshare(CLONE_NEWNET);
if (ret < 0) { if (ret < 0) {
SYSERROR("Error unsharing network namespace"); SYSERROR("Failed to unshare CLONE_NEWNET.");
goto out_warn_father; goto out_warn_father;
} else {
INFO("Unshared NET namespace.");
} }
INFO("Unshared CLONE_NEWNET.");
} }
/* Tell the parent task it can begin to configure the /* Tell the parent task it can begin to configure the container and wait
* container and wait for it to finish * for it to finish.
*/ */
if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE)) if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE))
return -1; return -1;
...@@ -758,11 +761,10 @@ static int do_start(void *data) ...@@ -758,11 +761,10 @@ static int do_start(void *data)
if (read_unpriv_netifindex(&handler->conf->network) < 0) if (read_unpriv_netifindex(&handler->conf->network) < 0)
goto out_warn_father; goto out_warn_father;
/* /* If we are in a new user namespace, become root there to have
* if we are in a new user namespace, become root there to have * privilege over our namespace. When using lxc-execute we default to
* privilege over our namespace. When using lxc-execute we default to root, * root, but this can be overriden using the lxc.init_uid and
* but this can be overriden using the lxc.init_uid and lxc.init_gid * lxc.init_gid configuration options.
* configuration options.
*/ */
if (!lxc_list_empty(&handler->conf->id_map)) { if (!lxc_list_empty(&handler->conf->id_map)) {
gid_t new_gid = 0; gid_t new_gid = 0;
...@@ -773,17 +775,17 @@ static int do_start(void *data) ...@@ -773,17 +775,17 @@ static int do_start(void *data)
if (handler->conf->is_execute && handler->conf->init_uid) if (handler->conf->is_execute && handler->conf->init_uid)
new_uid = handler->conf->init_uid; new_uid = handler->conf->init_uid;
NOTICE("switching to gid/uid %d/%d in new user namespace", new_gid, new_uid); NOTICE("Switching to uid=%d and gid=%d in new user namespace.", new_uid, new_gid);
if (setgid(new_gid)) { if (setgid(new_gid)) {
SYSERROR("setgid"); SYSERROR("Failed to setgid().");
goto out_warn_father; goto out_warn_father;
} }
if (setuid(new_uid)) { if (setuid(new_uid)) {
SYSERROR("setuid"); SYSERROR("Failed to setuid().");
goto out_warn_father; goto out_warn_father;
} }
if (setgroups(0, NULL)) { if (setgroups(0, NULL)) {
SYSERROR("setgroups"); SYSERROR("Failed to setgroups().");
goto out_warn_father; goto out_warn_father;
} }
} }
...@@ -796,18 +798,16 @@ static int do_start(void *data) ...@@ -796,18 +798,16 @@ static int do_start(void *data)
#if HAVE_SYS_CAPABILITY_H #if HAVE_SYS_CAPABILITY_H
if (handler->conf->need_utmp_watch) { if (handler->conf->need_utmp_watch) {
if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) { if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
SYSERROR("failed to remove CAP_SYS_BOOT capability"); SYSERROR("Failed to remove the CAP_SYS_BOOT capability.");
goto out_warn_father; goto out_warn_father;
} }
DEBUG("Dropped cap_sys_boot"); DEBUG("Dropped the CAP_SYS_BOOT capability.");
} }
#endif #endif
ret = snprintf(path, sizeof(path), "%s/dev/null", handler->conf->rootfs.mount); ret = snprintf(path, sizeof(path), "%s/dev/null", handler->conf->rootfs.mount);
if (ret < 0 || ret >= sizeof(path)) { if (ret < 0 || ret >= sizeof(path))
SYSERROR("sprintf'd too many chars");
goto out_warn_father; goto out_warn_father;
}
/* In order to checkpoint restore, we need to have everything in the /* In order to checkpoint restore, we need to have everything in the
* same mount namespace. However, some containers may not have a * same mount namespace. However, some containers may not have a
...@@ -824,16 +824,17 @@ static int do_start(void *data) ...@@ -824,16 +824,17 @@ static int do_start(void *data)
if (devnull_fd < 0) if (devnull_fd < 0)
goto out_warn_father; goto out_warn_father;
WARN("using host's /dev/null for container init's std fds, migraiton won't work"); WARN("Using /dev/null from the host for container init's "
"standard file descriptors. Migration will not work.");
} }
/* Setup the container, ip, names, utsname, ... */ /* Setup the container, ip, names, utsname, ... */
if (lxc_setup(handler)) { if (lxc_setup(handler)) {
ERROR("failed to setup the container"); ERROR("Failed to setup container \"%s\".", handler->name);
goto out_warn_father; goto out_warn_father;
} }
/* ask father to setup cgroups and wait for him to finish */ /* Ask father to setup cgroups and wait for him to finish. */
if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP))
goto out_error; goto out_error;
...@@ -857,55 +858,55 @@ static int do_start(void *data) ...@@ -857,55 +858,55 @@ static int do_start(void *data)
INFO("Unshared CLONE_NEWCGROUP."); INFO("Unshared CLONE_NEWCGROUP.");
} }
/* Set the label to change to when we exec(2) the container's init */ /* Set the label to change to when we exec(2) the container's init. */
if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0) if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
goto out_warn_father; goto out_warn_father;
/* Some init's such as busybox will set sane tty settings on stdin, /* Some init's such as busybox will set sane tty settings on stdin,
* stdout, stderr which it thinks is the console. We already set them * stdout, stderr which it thinks is the console. We already set them
* the way we wanted on the real terminal, and we want init to do its * the way we wanted on the real terminal, and we want init to do its
* setup on its console ie. the pty allocated in lxc_console_create() * setup on its console ie. the pty allocated in lxc_console_create() so
* so make sure that that pty is stdin,stdout,stderr. * make sure that that pty is stdin,stdout,stderr.
*/ */
if (lxc_console_set_stdfds(handler->conf->console.slave) < 0) if (lxc_console_set_stdfds(handler->conf->console.slave) < 0)
goto out_warn_father; goto out_warn_father;
/* If we mounted a temporary proc, then unmount it now */ /* If we mounted a temporary proc, then unmount it now. */
tmp_proc_unmount(handler->conf); tmp_proc_unmount(handler->conf);
if (lxc_seccomp_load(handler->conf) != 0) if (lxc_seccomp_load(handler->conf) != 0)
goto out_warn_father; goto out_warn_father;
if (run_lxc_hooks(handler->name, "start", handler->conf, handler->lxcpath, NULL)) { if (run_lxc_hooks(handler->name, "start", handler->conf, handler->lxcpath, NULL)) {
ERROR("failed to run start hooks for container '%s'.", handler->name); ERROR("Failed to run lxc.hook.start for container \"%s\".", handler->name);
goto out_warn_father; goto out_warn_father;
} }
/* The clearenv() and putenv() calls have been moved here /* The clearenv() and putenv() calls have been moved here to allow us to
* to allow us to use environment variables passed to the various * use environment variables passed to the various hooks, such as the
* hooks, such as the start hook above. Not all of the * start hook above. Not all of the variables like CONFIG_PATH or ROOTFS
* variables like CONFIG_PATH or ROOTFS are valid in this * are valid in this context but others are.
* context but others are. */ */
if (clearenv()) { if (clearenv()) {
SYSERROR("failed to clear environment"); SYSERROR("Failed to clear environment.");
/* don't error out though */ /* Don't error out though. */
} }
lxc_list_for_each(iterator, &handler->conf->environment) { lxc_list_for_each(iterator, &handler->conf->environment) {
if (putenv((char *)iterator->elem)) { if (putenv((char *)iterator->elem)) {
SYSERROR("failed to set environment variable '%s'", (char *)iterator->elem); SYSERROR("Failed to set environment variable: %s.", (char *)iterator->elem);
goto out_warn_father; goto out_warn_father;
} }
} }
if (putenv("container=lxc")) { if (putenv("container=lxc")) {
SYSERROR("failed to set environment variable 'container=lxc'"); SYSERROR("Failed to set environment variable: container=lxc.");
goto out_warn_father; goto out_warn_father;
} }
if (handler->conf->pty_names) { if (handler->conf->pty_names) {
if (putenv(handler->conf->pty_names)) { if (putenv(handler->conf->pty_names)) {
SYSERROR("failed to set environment variable for container ptys"); SYSERROR("Failed to set environment variable for container ptys.");
goto out_warn_father; goto out_warn_father;
} }
} }
...@@ -929,13 +930,15 @@ static int do_start(void *data) ...@@ -929,13 +930,15 @@ static int do_start(void *data)
setsid(); setsid();
/* after this call, we are in error because this /* After this call, we are in error because this ops should not return
* ops should not return as it execs */ * as it execs.
*/
handler->ops->start(handler, handler->data); handler->ops->start(handler, handler->data);
out_warn_father: out_warn_father:
/* we want the parent to know something went wrong, so we return a special /* We want the parent to know something went wrong, so we return a
* error code. */ * special error code.
*/
lxc_sync_wake_parent(handler, LXC_SYNC_ERROR); lxc_sync_wake_parent(handler, LXC_SYNC_ERROR);
out_error: out_error:
...@@ -960,17 +963,13 @@ static int save_phys_nics(struct lxc_conf *conf) ...@@ -960,17 +963,13 @@ static int save_phys_nics(struct lxc_conf *conf)
continue; continue;
conf->saved_nics = realloc(conf->saved_nics, conf->saved_nics = realloc(conf->saved_nics,
(conf->num_savednics+1)*sizeof(struct saved_nic)); (conf->num_savednics+1)*sizeof(struct saved_nic));
if (!conf->saved_nics) { if (!conf->saved_nics)
SYSERROR("failed to allocate memory");
return -1; return -1;
}
conf->saved_nics[conf->num_savednics].ifindex = netdev->ifindex; conf->saved_nics[conf->num_savednics].ifindex = netdev->ifindex;
conf->saved_nics[conf->num_savednics].orig_name = strdup(netdev->link); conf->saved_nics[conf->num_savednics].orig_name = strdup(netdev->link);
if (!conf->saved_nics[conf->num_savednics].orig_name) { if (!conf->saved_nics[conf->num_savednics].orig_name)
SYSERROR("failed to allocate memory");
return -1; return -1;
} INFO("Stored saved_nic #%d idx %d name %s.", conf->num_savednics,
INFO("stored saved_nic #%d idx %d name %s", conf->num_savednics,
conf->saved_nics[conf->num_savednics].ifindex, conf->saved_nics[conf->num_savednics].ifindex,
conf->saved_nics[conf->num_savednics].orig_name); conf->saved_nics[conf->num_savednics].orig_name);
conf->num_savednics++; conf->num_savednics++;
...@@ -982,7 +981,7 @@ static int save_phys_nics(struct lxc_conf *conf) ...@@ -982,7 +981,7 @@ static int save_phys_nics(struct lxc_conf *conf)
static int recv_fd(int sock, int *fd) static int recv_fd(int sock, int *fd)
{ {
if (lxc_abstract_unix_recv_fd(sock, fd, NULL, 0) < 0) { if (lxc_abstract_unix_recv_fd(sock, fd, NULL, 0) < 0) {
SYSERROR("Error receiving tty fd from child"); SYSERROR("Error receiving tty file descriptor from child process.");
return -1; return -1;
} }
if (*fd == -1) if (*fd == -1)
...@@ -999,18 +998,16 @@ static int recv_ttys_from_child(struct lxc_handler *handler) ...@@ -999,18 +998,16 @@ static int recv_ttys_from_child(struct lxc_handler *handler)
if (!conf->tty) if (!conf->tty)
return 0; return 0;
tty_info->pty_info = malloc(sizeof(*tty_info->pty_info)*conf->tty); tty_info->pty_info = malloc(sizeof(*tty_info->pty_info) * conf->tty);
if (!tty_info->pty_info) { if (!tty_info->pty_info)
SYSERROR("failed to allocate pty_info");
return -1; return -1;
}
for (i = 0; i < conf->tty; i++) { for (i = 0; i < conf->tty; i++) {
struct lxc_pty_info *pty_info = &tty_info->pty_info[i]; struct lxc_pty_info *pty_info = &tty_info->pty_info[i];
pty_info->busy = 0; pty_info->busy = 0;
if (recv_fd(sock, &pty_info->slave) < 0 || if (recv_fd(sock, &pty_info->slave) < 0 ||
recv_fd(sock, &pty_info->master) < 0) { recv_fd(sock, &pty_info->master) < 0) {
ERROR("Error receiving tty info from child"); ERROR("Error receiving tty info from child process.");
return -1; return -1;
} }
} }
...@@ -1022,36 +1019,26 @@ static int recv_ttys_from_child(struct lxc_handler *handler) ...@@ -1022,36 +1019,26 @@ static int recv_ttys_from_child(struct lxc_handler *handler)
void resolve_clone_flags(struct lxc_handler *handler) void resolve_clone_flags(struct lxc_handler *handler)
{ {
handler->clone_flags = CLONE_NEWPID | CLONE_NEWNS; handler->clone_flags = CLONE_NEWPID | CLONE_NEWNS;
INFO("Adding CLONE_NEWPID to clone flags.");
INFO("Adding CLONE_NEWNS to clone flags.");
if (!lxc_list_empty(&handler->conf->id_map)) { if (!lxc_list_empty(&handler->conf->id_map))
INFO("Adding CLONE_NEWUSER to clone flags.");
handler->clone_flags |= CLONE_NEWUSER; handler->clone_flags |= CLONE_NEWUSER;
}
if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) { if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
if (!lxc_requests_empty_network(handler)) { if (!lxc_requests_empty_network(handler))
INFO("Adding CLONE_NEWNET to clone flags.");
handler->clone_flags |= CLONE_NEWNET; handler->clone_flags |= CLONE_NEWNET;
}
} else { } else {
INFO("Inheriting a NET namespace."); INFO("Inheriting a NET namespace.");
} }
if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1) { if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1)
INFO("Adding CLONE_NEWIPC to clone flags.");
handler->clone_flags |= CLONE_NEWIPC; handler->clone_flags |= CLONE_NEWIPC;
} else { else
INFO("Inheriting an IPC namespace."); INFO("Inheriting an IPC namespace.");
}
if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1) { if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1)
INFO("Adding CLONE_NEWUTS to clone flags.");
handler->clone_flags |= CLONE_NEWUTS; handler->clone_flags |= CLONE_NEWUTS;
} else { else
INFO("Inheriting a UTS namespace."); INFO("Inheriting a UTS namespace.");
}
} }
static int lxc_spawn(struct lxc_handler *handler) static int lxc_spawn(struct lxc_handler *handler)
...@@ -1085,51 +1072,50 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1085,51 +1072,50 @@ static int lxc_spawn(struct lxc_handler *handler)
/* Find gateway addresses from the link device, which is /* Find gateway addresses from the link device, which is
* no longer accessible inside the container. Do this * no longer accessible inside the container. Do this
* before creating network interfaces, since goto * before creating network interfaces, since goto
* out_delete_net does not work before lxc_clone. */ * out_delete_net does not work before lxc_clone.
*/
if (lxc_find_gateway_addresses(handler)) { if (lxc_find_gateway_addresses(handler)) {
ERROR("failed to find gateway addresses"); ERROR("Failed to find gateway addresses.");
lxc_sync_fini(handler); lxc_sync_fini(handler);
return -1; return -1;
} }
/* that should be done before the clone because we will /* That should be done before the clone because we will
* fill the netdev index and use them in the child * fill the netdev index and use them in the child.
*/ */
if (lxc_create_network(handler)) { if (lxc_create_network(handler)) {
ERROR("failed to create the network"); ERROR("Failed to create the network.");
lxc_sync_fini(handler); lxc_sync_fini(handler);
return -1; return -1;
} }
} }
if (save_phys_nics(handler->conf)) { if (save_phys_nics(handler->conf)) {
ERROR("failed to save physical nic info"); ERROR("Failed to save physical nic info.");
goto out_abort; goto out_abort;
} }
} }
if (!cgroup_init(handler)) { if (!cgroup_init(handler)) {
ERROR("failed initializing cgroup support"); ERROR("Failed initializing cgroup support.");
goto out_delete_net; goto out_delete_net;
} }
cgroups_connected = true; cgroups_connected = true;
if (!cgroup_create(handler)) { if (!cgroup_create(handler)) {
ERROR("failed creating cgroups"); ERROR("Failed creating cgroups.");
goto out_delete_net; goto out_delete_net;
} }
/* /* If the rootfs is not a blockdev, prevent the container from marking
* if the rootfs is not a blockdev, prevent the container from * it readonly.
* marking it readonly. * If the container is unprivileged then skip rootfs pinning.
*
* if the container is unprivileged then skip rootfs pinning
*/ */
if (lxc_list_empty(&handler->conf->id_map)) { if (lxc_list_empty(&handler->conf->id_map)) {
handler->pinfd = pin_rootfs(handler->conf->rootfs.path); handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
if (handler->pinfd == -1) if (handler->pinfd == -1)
INFO("failed to pin the container's rootfs"); INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
} }
if (!preserve_ns(saved_ns_fd, preserve_mask, getpid())) if (!preserve_ns(saved_ns_fd, preserve_mask, getpid()))
...@@ -1140,40 +1126,46 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1140,40 +1126,46 @@ static int lxc_spawn(struct lxc_handler *handler)
if (am_unpriv() && (nveths = count_veths(&handler->conf->network))) { if (am_unpriv() && (nveths = count_veths(&handler->conf->network))) {
if (pipe(netpipepair) < 0) { if (pipe(netpipepair) < 0) {
SYSERROR("Error creating pipe"); SYSERROR("Failed to create pipe.");
goto out_delete_net; goto out_delete_net;
} }
/* store netpipe in the global var for do_start's use */ /* Store netpipe in the global var for do_start's use. */
netpipe = netpipepair[0]; netpipe = netpipepair[0];
} }
/* Create a process in a new set of namespaces */ /* Create a process in a new set of namespaces. */
flags = handler->clone_flags; flags = handler->clone_flags;
if (handler->clone_flags & CLONE_NEWUSER) if (handler->clone_flags & CLONE_NEWUSER) {
/* If CLONE_NEWUSER and CLONE_NEWNET was requested, we need to
* clone a new user namespace first and only later unshare our
* network namespace to ensure that network devices ownership is
* set up correctly.
*/
flags &= ~CLONE_NEWNET; flags &= ~CLONE_NEWNET;
}
handler->pid = lxc_clone(do_start, handler, flags); handler->pid = lxc_clone(do_start, handler, flags);
if (handler->pid < 0) { if (handler->pid < 0) {
SYSERROR("Failed to fork into a set of new namespaces."); SYSERROR("Failed to clone a new set of namespaces.");
goto out_delete_net; goto out_delete_net;
} else {
INFO("Cloned a set of new namespaces.");
} }
INFO("Cloned a set of new namespaces.");
if (!preserve_ns(handler->nsfd, handler->clone_flags | preserve_mask, handler->pid)) if (!preserve_ns(handler->nsfd, handler->clone_flags | preserve_mask, handler->pid))
INFO("Failed to preserve namespace for lxc.hook.stop."); INFO("Failed to preserve namespace for lxc.hook.stop.");
if (attach_ns(saved_ns_fd)) if (attach_ns(saved_ns_fd))
WARN("failed to restore saved namespaces"); WARN("Failed to restore saved namespaces.");
lxc_sync_fini_child(handler); lxc_sync_fini_child(handler);
/* map the container uids - the container became an invalid /* Map the container uids. The container became an invalid userid the
* userid the moment it was cloned with CLONE_NEWUSER - this * moment it was cloned with CLONE_NEWUSER. This call doesn't change
* call doesn't change anything immediately, but allows the * anything immediately, but allows the container to setuid(0) (0 being
* container to setuid(0) (0 being mapped to something else on * mapped to something else on the host.) later to become a valid uid
* the host) later to become a valid uid again */ * again.
*/
if (lxc_map_ids(&handler->conf->id_map, handler->pid)) { if (lxc_map_ids(&handler->conf->id_map, handler->pid)) {
ERROR("failed to set up id mapping"); ERROR("Failed to set up id mapping.");
goto out_delete_net; goto out_delete_net;
} }
...@@ -1188,11 +1180,11 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1188,11 +1180,11 @@ static int lxc_spawn(struct lxc_handler *handler)
} }
if (!cgroup_create_legacy(handler)) { if (!cgroup_create_legacy(handler)) {
ERROR("failed to setup the legacy cgroups for %s", name); ERROR("Failed to setup legacy cgroups for container \"%s\".", name);
goto out_delete_net; goto out_delete_net;
} }
if (!cgroup_setup_limits(handler, false)) { if (!cgroup_setup_limits(handler, false)) {
ERROR("failed to setup the cgroup limits for '%s'", name); ERROR("Failed to setup cgroup limits for container \"%s\".", name);
goto out_delete_net; goto out_delete_net;
} }
...@@ -1205,11 +1197,11 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1205,11 +1197,11 @@ static int lxc_spawn(struct lxc_handler *handler)
if (failed_before_rename) if (failed_before_rename)
goto out_delete_net; goto out_delete_net;
/* Create the network configuration */ /* Create the network configuration. */
if (handler->clone_flags & CLONE_NEWNET) { if (handler->clone_flags & CLONE_NEWNET) {
if (lxc_assign_network(handler->lxcpath, handler->name, if (lxc_assign_network(handler->lxcpath, handler->name,
&handler->conf->network, handler->pid)) { &handler->conf->network, handler->pid)) {
ERROR("failed to create the configured network"); ERROR("Failed to create the configured network.");
goto out_delete_net; goto out_delete_net;
} }
} }
...@@ -1224,39 +1216,38 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1224,39 +1216,38 @@ static int lxc_spawn(struct lxc_handler *handler)
if (netdev->type != LXC_NET_VETH) if (netdev->type != LXC_NET_VETH)
continue; continue;
if (write(netpipepair[1], netdev->name, IFNAMSIZ) != IFNAMSIZ) { if (write(netpipepair[1], netdev->name, IFNAMSIZ) != IFNAMSIZ) {
ERROR("Error writing veth name to container"); ERROR("Error writing veth name to container.");
goto out_delete_net; goto out_delete_net;
} }
} }
close(netpipepair[1]); close(netpipepair[1]);
} }
/* Tell the child to continue its initialization. we'll get /* Tell the child to continue its initialization. We'll get
* LXC_SYNC_CGROUP when it is ready for us to setup cgroups * LXC_SYNC_CGROUP when it is ready for us to setup cgroups.
*/ */
if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE)) if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
goto out_delete_net; goto out_delete_net;
if (!cgroup_setup_limits(handler, true)) { if (!cgroup_setup_limits(handler, true)) {
ERROR("failed to setup the devices cgroup for '%s'", name); ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
goto out_delete_net; goto out_delete_net;
} }
cgroup_disconnect(); cgroup_disconnect();
cgroups_connected = false; cgroups_connected = false;
/* read tty fds allocated by child */ /* Read tty fds allocated by child. */
if (recv_ttys_from_child(handler) < 0) { if (recv_ttys_from_child(handler) < 0) {
ERROR("failed to receive tty info from child"); ERROR("Failed to receive tty info from child process.");
goto out_delete_net; goto out_delete_net;
} }
/* Tell the child to complete its initialization and wait for /* Tell the child to complete its initialization and wait for it to exec
* it to exec or return an error. (the child will never * or return an error. (The child will never return
* return LXC_SYNC_POST_CGROUP+1. It will either close the * LXC_SYNC_POST_CGROUP+1. It will either close the sync pipe, causing
* sync pipe, causing lxc_sync_barrier_child to return * lxc_sync_barrier_child to return success, or return a different
* success, or return a different value, causing us to error * value, causing us to error out).
* out).
*/ */
if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP)) if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP))
return -1; return -1;
...@@ -1268,8 +1259,8 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1268,8 +1259,8 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_abort; goto out_abort;
if (lxc_set_state(name, handler, RUNNING)) { if (lxc_set_state(name, handler, RUNNING)) {
ERROR("failed to set state to %s", ERROR("Failed to set state for container \"%s\" to \"%s\".", name,
lxc_state2str(RUNNING)); lxc_state2str(RUNNING));
goto out_abort; goto out_abort;
} }
...@@ -1305,7 +1296,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1305,7 +1296,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
handler = lxc_init(name, conf, lxcpath); handler = lxc_init(name, conf, lxcpath);
if (!handler) { if (!handler) {
ERROR("failed to initialize the container"); ERROR("Failed to initialize container \"%s\".", name);
return -1; return -1;
} }
handler->ops = ops; handler->ops = ops;
...@@ -1315,41 +1306,41 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1315,41 +1306,41 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
if (must_drop_cap_sys_boot(handler->conf)) { if (must_drop_cap_sys_boot(handler->conf)) {
#if HAVE_SYS_CAPABILITY_H #if HAVE_SYS_CAPABILITY_H
DEBUG("Dropping cap_sys_boot"); DEBUG("Dropping CAP_SYS_BOOT capability.");
#else #else
DEBUG("Can't drop cap_sys_boot as capabilities aren't supported"); DEBUG("Not dropping CAP_SYS_BOOT capability as capabilities aren't supported.");
#endif #endif
} else { } else {
DEBUG("Not dropping cap_sys_boot or watching utmp"); DEBUG("Not dropping CAP_SYS_BOOT or watching utmp.");
handler->conf->need_utmp_watch = 0; handler->conf->need_utmp_watch = 0;
} }
if (!attach_block_device(handler->conf)) { if (!attach_block_device(handler->conf)) {
ERROR("Failure attaching block device"); ERROR("Failed to attach block device.");
goto out_fini_nonet; goto out_fini_nonet;
} }
if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) { if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
/* if the backing store is a device, mount it here and now */ /* If the backing store is a device, mount it here and now. */
if (rootfs_is_blockdev(conf)) { if (rootfs_is_blockdev(conf)) {
if (unshare(CLONE_NEWNS) < 0) { if (unshare(CLONE_NEWNS) < 0) {
ERROR("Error unsharing MOUNT namespace."); ERROR("Failed to unshare CLONE_NEWNS.");
goto out_fini_nonet; goto out_fini_nonet;
} else {
INFO("Unshared MOUNT namespace.");
} }
INFO("Unshared CLONE_NEWNS.");
remount_all_slave(); remount_all_slave();
if (do_rootfs_setup(conf, name, lxcpath) < 0) { if (do_rootfs_setup(conf, name, lxcpath) < 0) {
ERROR("Error setting up rootfs mount as root before spawn"); ERROR("Error setting up rootfs mount as root before spawn.");
goto out_fini_nonet; goto out_fini_nonet;
} }
INFO("Set up container rootfs as host root"); INFO("Set up container rootfs as host root.");
} }
} }
err = lxc_spawn(handler); err = lxc_spawn(handler);
if (err) { if (err) {
ERROR("failed to spawn '%s'", name); ERROR("Failed to spawn container \"%s\".", name);
goto out_detach_blockdev; goto out_detach_blockdev;
} }
...@@ -1357,7 +1348,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1357,7 +1348,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
err = lxc_poll(name, handler); err = lxc_poll(name, handler);
if (err) { if (err) {
ERROR("mainloop exited with an error"); ERROR("LXC mainloop exited with error: %d.", err);
if (handler->netnsfd >= 0) { if (handler->netnsfd >= 0) {
close(handler->netnsfd); close(handler->netnsfd);
handler->netnsfd = -1; handler->netnsfd = -1;
...@@ -1368,26 +1359,24 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1368,26 +1359,24 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
while (waitpid(handler->pid, &status, 0) < 0 && errno == EINTR) while (waitpid(handler->pid, &status, 0) < 0 && errno == EINTR)
continue; continue;
/* /* If the child process exited but was not signaled, it didn't call
* If the child process exited but was not signaled, * reboot. This should mean it was an lxc-execute which simply exited.
* it didn't call reboot. This should mean it was an * In any case, treat it as a 'halt'.
* lxc-execute which simply exited. In any case, treat
* it as a 'halt'
*/ */
if (WIFSIGNALED(status)) { if (WIFSIGNALED(status)) {
switch(WTERMSIG(status)) { switch(WTERMSIG(status)) {
case SIGINT: /* halt */ case SIGINT: /* halt */
DEBUG("Container halting"); DEBUG("Container \"%s\" is halting.", name);
break; break;
case SIGHUP: /* reboot */ case SIGHUP: /* reboot */
DEBUG("Container rebooting"); DEBUG("Container \"%s\" is rebooting.", name);
handler->conf->reboot = 1; handler->conf->reboot = 1;
break; break;
case SIGSYS: /* seccomp */ case SIGSYS: /* seccomp */
DEBUG("Container violated its seccomp policy"); DEBUG("Container \"%s\" violated its seccomp policy.", name);
break; break;
default: default:
DEBUG("unknown exit status for init: %d", WTERMSIG(status)); DEBUG("Unknown exit status for container \"%s\" init %d.", name, WTERMSIG(status));
break; break;
} }
} }
...@@ -1395,7 +1384,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1395,7 +1384,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
DEBUG("Pushing physical nics back to host namespace"); DEBUG("Pushing physical nics back to host namespace");
lxc_restore_phys_nics_to_netns(handler->netnsfd, handler->conf); lxc_restore_phys_nics_to_netns(handler->netnsfd, handler->conf);
DEBUG("Tearing down virtual network devices used by container"); DEBUG("Tearing down virtual network devices used by container \"%s\".", name);
removed_all_netdevs = lxc_delete_network(handler); removed_all_netdevs = lxc_delete_network(handler);
if (handler->pinfd >= 0) { if (handler->pinfd >= 0) {
...@@ -1407,7 +1396,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf, ...@@ -1407,7 +1396,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
err = lxc_error_set_and_log(handler->pid, status); err = lxc_error_set_and_log(handler->pid, status);
out_fini: out_fini:
if (!removed_all_netdevs) { if (!removed_all_netdevs) {
DEBUG("Failed tearing down all network devices used by container. Trying again!"); DEBUG("Failed tearing down network devices used by container. Trying again!");
removed_all_netdevs = lxc_delete_network(handler); removed_all_netdevs = lxc_delete_network(handler);
if (!removed_all_netdevs) if (!removed_all_netdevs)
DEBUG("Failed tearing down network devices used by container. Not trying again!"); DEBUG("Failed tearing down network devices used by container. Not trying again!");
...@@ -1433,10 +1422,10 @@ static int start(struct lxc_handler *handler, void* data) ...@@ -1433,10 +1422,10 @@ static int start(struct lxc_handler *handler, void* data)
{ {
struct start_args *arg = data; struct start_args *arg = data;
NOTICE("exec'ing '%s'", arg->argv[0]); NOTICE("Exec'ing \"%s\".", arg->argv[0]);
execvp(arg->argv[0], arg->argv); execvp(arg->argv[0], arg->argv);
SYSERROR("failed to exec %s", arg->argv[0]); SYSERROR("Failed to exec \"%s\".", arg->argv[0]);
return 0; return 0;
} }
...@@ -1444,7 +1433,7 @@ static int post_start(struct lxc_handler *handler, void* data) ...@@ -1444,7 +1433,7 @@ static int post_start(struct lxc_handler *handler, void* data)
{ {
struct start_args *arg = data; struct start_args *arg = data;
NOTICE("'%s' started with pid '%d'", arg->argv[0], handler->pid); NOTICE("Started \"%s\" with pid \"%d\".", arg->argv[0], handler->pid);
return 0; return 0;
} }
...@@ -1474,23 +1463,22 @@ static void lxc_destroy_container_on_signal(struct lxc_handler *handler, ...@@ -1474,23 +1463,22 @@ static void lxc_destroy_container_on_signal(struct lxc_handler *handler,
if (handler->conf->rootfs.path && handler->conf->rootfs.mount) { if (handler->conf->rootfs.path && handler->conf->rootfs.mount) {
bret = do_destroy_container(handler->conf); bret = do_destroy_container(handler->conf);
if (!bret) { if (!bret) {
ERROR("Error destroying rootfs for %s", name); ERROR("Error destroying rootfs for container \"%s\".", name);
return; return;
} }
} }
INFO("Destroyed rootfs for %s", name); INFO("Destroyed rootfs for container \"%s\".", name);
ret = snprintf(destroy, MAXPATHLEN, "%s/%s", handler->lxcpath, name); ret = snprintf(destroy, MAXPATHLEN, "%s/%s", handler->lxcpath, name);
if (ret < 0 || ret >= MAXPATHLEN) { if (ret < 0 || ret >= MAXPATHLEN) {
ERROR("Error printing path for %s", name); ERROR("Error destroying directory for container \"%s\".", name);
ERROR("Error destroying directory for %s", name);
return; return;
} }
c = lxc_container_new(name, handler->lxcpath); c = lxc_container_new(name, handler->lxcpath);
if (c) { if (c) {
if (container_disk_lock(c)) { if (container_disk_lock(c)) {
INFO("Could not update lxc_snapshots file"); INFO("Could not update lxc_snapshots file.");
lxc_container_put(c); lxc_container_put(c);
} else { } else {
mod_all_rdeps(c, false); mod_all_rdeps(c, false);
...@@ -1505,10 +1493,10 @@ static void lxc_destroy_container_on_signal(struct lxc_handler *handler, ...@@ -1505,10 +1493,10 @@ static void lxc_destroy_container_on_signal(struct lxc_handler *handler,
ret = lxc_rmdir_onedev(destroy, NULL); ret = lxc_rmdir_onedev(destroy, NULL);
if (ret < 0) { if (ret < 0) {
ERROR("Error destroying directory for %s", name); ERROR("Error destroying directory for container \"%s\".", name);
return; return;
} }
INFO("Destroyed directory for %s", name); INFO("Destroyed directory for container \"%s\".", name);
} }
static int lxc_rmdir_onedev_wrapper(void *data) static int lxc_rmdir_onedev_wrapper(void *data)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment