Skip to content

L
lxc
Switch branch/tag
  1. 12 Aug, 2013 1 commit
    • lxc-destroy: Fix regular expression for getting rootfs · 034a0159
      Franz Pletz authored 
      The `lxc-destroy` script was using a simple `grep` for extracting
`lxc.rootfs` from the lxc config. This regex also matches commented lines
and breaks at least removing btrfs subvolumes if the string `lxc.rootfs`
is mentioned in a comment. Furthermore, due to the unescaped dot in the
regex it would also match other wrong strings like `lxc rootfs`.

This patch modifies the regular expression to correctly match the beginning
of the line plus potential whitespace characters and the string
`lxc.rootfs`.
Signed-off-by: 's avatarFranz Pletz <fpletz@fnordicwalking.de>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
  3. 09 Aug, 2013 4 commits
  5. 07 Aug, 2013 3 commits
    • Logging: don't confuse command line and config file specified values · b40a606e
      Serge Hallyn authored 
      Currently if loglevel/logfile are specified on command line in a
program using LXC api, and that program does any
container->save_config(), then the new config will be saved with the
loglevel/logfile specified on command line.  This is wrong, especially
in the case of

cat > lxc.conf << EOF
lxc.logfile=a
EOF

lxc-create -t cirros -n c1 -o b

which will result in a container config with lxc.logfile=b.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • lxc-clone: don't s/oldname/newname in the config file and hooks · 96532523
      Serge Hallyn authored 
      1. container hooks should use lxcpath and lxcname from the environment.
2. the utsname now gets separately updated
3. the rootfs path gets updated by the bdev backend.
4. the fstab mount targets should be relative
5. the fstab source directories could be separately updated if needed.

This leaves one definate bug: the lxc.logfile does not get updated.
This made me wonder why it was in the configuration file to begin with.
Digging deeper, I realized that whatever '-o outfile' you give
lxc-create gets set in log.c and gets used by the lxc_container object
we create at write_config().  So if you say
	lxc-create -t cirros -n c1 -o /tmp/out1
then /var/lib/lxc/c1/config will have lxc.logfile=/tmp/out1 - which is
clearly wrong.  Therefore I leave fixing that for later.

I'm looking for candidates for $p/$n expansion.  Note we can't expand
these at config_utsname() etc, because then lxc-clone would see the
expanded variable.  So we want to read $p/$n verbatim at config_*(),
and expand them only when they are used.  lxc.logfile is an obvious
good use case.  lxc.utsname can do it too, in case you want container
c1 to be called "c1-whatever".  I'm not sure that's worth it though.
Are there any others, or is that it?
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • ubuntu-cloud: remove debugging echo · d273b8ab
      Serge Hallyn authored 
      Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
  7. 26 Jul, 2013 1 commit
  9. 23 Jul, 2013 3 commits
  11. 22 Jul, 2013 5 commits
  13. 18 Jul, 2013 1 commit
  15. 17 Jul, 2013 1 commit
    • ubuntu templates: add some kernel filesystems to container fstab · 6f259716
      Serge Hallyn authored 
      The debugfs, fusectl, and securityfs may not be mounted inside a
non-init userns.  But mountall hangs waiting for them to be
mounted.  So just pre-mount them using $lxcpath/$name/fstab as
bind mounts, which will prevent mountall from trying to mount
them.

If the kernel doesn't provide them, then the bind mount failure
will be ignored, and mountall in the container will proceed
without the mount since it is 'optional'.  But without these
bind mounts, starting a container inside a user namespace
hangs.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
  17. 16 Jul, 2013 4 commits
  19. 15 Jul, 2013 1 commit
    • lxc_create: prepend pretty header to config file (v2) · 3ce74686
      Serge Hallyn authored 
      Define a sha1sum_file() function in utils.c.  Use that in lxcapi_create
to write out the sha1sum of the template being used.  If libgnutls is
not found, then the template sha1sum simply won't be printed into the
container config.

This patch also trivially fixes some cases where SYSERROR is used after
a fclose (masking errno) and missing consts in mkdir_p.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
  21. 12 Jul, 2013 4 commits
  23. 11 Jul, 2013 3 commits
    • Accomodate stricter devices cgroup rules · 283678ed
      Serge Hallyn authored 
      3.10 kernel comes with proper hierarchical enforcement of devices
cgroup.  To keep that code somewhat sane, certain things are not
allowed.  Switching from default-allow to default-deny and vice versa
are not allowed when there are children cgroups.  (This *could* be
simplified in the kernel by checking that all child cgroups are
unpopulated, but that has not yet been done and may be rejected)

The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
you cannot write 'a' to devices.deny once you have a child cgroup.  With
this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
the container's devices cgroup, and (c) setup_cgroup() during lxc startup
ignores failures to write to devices subsystem if we are already in a
child of the container's new cgroup.

((a) is not really related to this bug, but is definately needed.
The followup work of making the other hooks use the passed-in lxcpath
is still to be done)
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • lxcapi_create: fix template handling · cbee8106
      Serge Hallyn authored 
      1. If no template is passed in, then do not try to execute it.  The user
just wanted to write the configuration.

2. If template is passed in as a full path, then use that instead of
constructing '$templatedir/lxc-$template'.
Reported-by: 's avatarWanlong Gao <gaowanlong@cn.fujitsu.com>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • lxcapi_create: split out the template execution · 96b3cb40
      Serge Hallyn authored 
      Make it its own function to make both more readable.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
  25. 10 Jul, 2013 4 commits
    • oracle template: use clonehostname hook script · fb75356a
      Dwight Engen authored 
      Signed-off-by: 's avatarDwight Engen <dwight.engen@oracle.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • add clonehostname hook · 1143ed39
      Dwight Engen authored 
      This hook script updates the hostname in various files under /etc in the
cloned container. In order to do so, the old container name is passed in
the LXC_SRC_NAME environment variable.
Signed-off-by: 's avatarDwight Engen <dwight.engen@oracle.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • lxc-fedora template - Fix retries, use os-release for release, add utsname. · b9b3a92f
      Michael H. Warfield authored 
      Hey all!

Patch for the Fedora template.  Several things...

1) A month or so ago, I floated an idea of adding an option for utsname
which Serge seemed to like but we let it float for more feedback (none
came).

2) In private mail to Serge and Stéphane I mentioned the idea of using
the CPE (Common Platform Enumeration) for host distro and version
identification.  I heard back from Serge but not Stéphane.  CPE is a
standard promoted by NIST and Mitre (along with CVE and CVSS) as part of
the security community as a common identification mechanism.  It's
supported by RedHat based distros and many others (notable exception
Ubuntu).  I've patched the Fedora template to parse first
the /etc/os-release file or, alternatively, the /etc/system-release-cpe
file for the distro ID and version instead of the human
readable /etc/redhat-release.  There's more that can be done with that
in the realm of cross distro container builds, I suspect.

3) At the time of working on 1&2 I noticed that the retry logic in the
Fedora template just didn't seem right.  I believe I posted a message
asking for clarification on that behavior.  A recently post in the
-users list indicating that someone could not create a Fedora 19
container (because the release ver string was 19-2 and the template was
only looking for -1) prompted me to rework the retry logic for handling
the mirror list and servers as well as revamp the download logic to
properly identify the correct release package.

The patch for all of the above is attached below the jump.  It's been
tested on Fedora 17 through Fedora 19 hosts and has created containers
for F11, F12, F13, F14, F16, F17, F18, and F19.  F15 failed for rpm
dependency issues that are not worth fixing (IMHO).

Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

--
Signed-off-by: 's avatarMichael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • fix potential out of bounds pointer deref · 3327917f
      Dwight Engen authored 
      I noticed that if find_first_wholeword() is called with word at the very
beginning of p, we will deref *(p - 1) to see if it is a word boundary.
Fix by considering p = p0 to be a word boundary.
Signed-off-by: 's avatarDwight Engen <dwight.engen@oracle.com>
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
  27. 09 Jul, 2013 1 commit
  29. 08 Jul, 2013 4 commits