- 13 Mar, 2013 2 commits
-
-
Serge Hallyn authored
1. deeper hierarchy has steep performance costs 2. init may be under /init, but containers should be under /lxc 3. in a nested container we like to bind-mount $cgroup_path/$c/$c.real into $cgroup_path - but task 1's cgroup is $c/$c.real, so a nested container would be in $c/$c.real/lxc, which would become /$c/$c.real/$c/$c.real/lxc when expanded 4. this pulls quite a bit of code (of mine) which is always nice Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
Signed-off-by:
-
- 12 Mar, 2013 3 commits
-
-
Dwight Engen authored
The kernel requires a single atomic write for setting the /proc idmap files. We were calling write(2) more than once when multiple ranges were configured so instead build a buffer to pass in one write(2) call. Change id types to unsigned long to handle large id mappings gracefully. Fix max id in example comment. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
Alexander Vladimirov authored
I remember discussion about implementing proper way to shutdown guests using different signals, so here's a patch proposal. It allows to use specific signal numbers to shutdown guests gracefully, for example SIGRTMIN+4 starts poweroff.target in systemd. Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
-
Dwight Engen authored
This fixes some issues found by Oracle QA, including several cosmetic errors seen during container bootup. The rpm database needs moving on Debian hosts similar to on Ubuntu. I took Serge's suggestions: Do the yum install in an unshared mount namespace so the /proc mount done during OL4 install doesn't pollute the host. No need to blacklist ipv6 modules. Make the default release 6.3, unless the host is OL, then default to the same version as the host (same as Ubuntu template does). Signed-off-by:
-
- 11 Mar, 2013 6 commits
-
-
Dwight Engen authored
The id ordering and case of u,g is also consistent with uidmapshift, reducing confusion. doc: Moved example to the the EXAMPLES section, and used values corresponding to the defaults in the pending shadow-utils subuid patch. Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Stéphane Graber authored
Debian 5.0 Lenny turned out of support on the 6th of February 2012. From now on, the only supported Debian template is lxc-debian. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
1. if there's no rootfs, return -2, not 0. 2. don't close pinfd unconditionally in do_start(). Signed-off-by:
David Ward <david.ward@ll.mit.edu>
-
- 07 Mar, 2013 1 commit
-
-
Dwight Engen authored
This should eventually make the source releases available on sourceforge also contain the tests. Signed-off-by:
-
- 06 Mar, 2013 5 commits
-
-
Serge Hallyn authored
If we're not attaching to the mount ns , then don't enter the container's apparmor policy. Since we're running binaries from the host and not the container, that actually seems the sane thing to do (besides also the lazier thing). If we dont' do this patch, then we will need to move the apparmor attach past the procfs remount, will need to also mount securityfs if available, and for the !remount_proc_sys case we'll want to mount those just long enough to do the apparmor transition. Signed-off-by:
-
Serge Hallyn authored
Signed-off-by: -
Christian Seiler authored
When attaching to a container with a user namespace, try to detect the user and group ids of init via /proc and attach as that same user. Only if that is unsuccessful, fall back to (0, 0). Signed-off-by:Christian Seiler <christian@iwakd.de>
-
Christian Seiler authored
If getpwuid() fails and also the fallback of spawning of a 'getent' process, and the user specified no command to execute, default to /bin/sh and only fail if even that is not available. This should ensure that unless the container is *really* weird, no matter what, the user should always end up with a shell when calling lxc-attach with no further arguments. Signed-off-by: -
Christian Seiler authored
If no command is specified, and using getpwuid() to determine the login shell fails, try to spawn a process that executes the utility 'getent'. getpwuid() may fail because of incompatibilities between the NSS implementations on the host and in the container. Signed-off-by:
-
- 05 Mar, 2013 1 commit
-
-
Serge Hallyn authored
Signed-off-by:
-
- 04 Mar, 2013 7 commits
-
-
Serge Hallyn authored
Add a monitor command to get the cgroup for a running container. This allows container r1 started from /var/lib/lxc and container r1 started from /home/ubuntu/lxcbase to pick unique cgroup directories (which will be /sys/fs/cgroup/$subsys/lxc/r1 and .../r1-1), and all the lxc-* tools to get that path over the monitor at lxcpath. Rework the cgroup code. Before, if /sys/fs/cgroup/$subsys/lxc/r1 already existed, it would be moved to 'deadXXXXX', and a new r1 created. Instead, if r1 exists, use r1-1, r1-2, etc. I ended up removing both the use of cgroup.clone_children and support for ns cgroup. Presumably we'll want to put support for ns cgroup back in for older kernels. Instead of guessing whether or not we have clone_children support, just always explicitly do the only thing that feature buys us - set cpuset.{cpus,mems} for newly created cgroups. Note that upstream kernel is working toward strict hierarchical limit enforcements, which will be good for us. NOTE - I am changing the lxc_answer struct size. This means that upgrades to this version while containers are running will result in lxc_* commands on pre-running containers will fail. Changelog: (v3) implement cgroup attach fix a subtle bug arising when we lxc_get_cgpath() returned STOPPED rather than -1 (STOPPED is 0, and 0 meant success). Rename some functions and add detailed comments above most. Drop all my lxc_attach changes in favor of those by Christian Seiler (which are mostly the same, but improved). Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
As Kees pointed out, write() errors can be delayed and returned as close() errors. So don't ignore error on close when writing the userns id mapping. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Christian Seiler authored
When you clone a new user_ns, the child cannot write to the fds opened by the parent. Hnadle this by doing an extra fork. The grandparent hangs around and waits for its child to tell it the pid of of the grandchild, which will be the one attached to the container. The grandparent then moves the grandchild into the right cgroup, then waits for the child who in turn is waiting on the grandchild to complete. Secondly, when attaching to a new user namespace, your old uid is not valid, so you are uid -1. This patch simply does setid+setuid to 0 if that is the case. We probably want to be smarter, but for now this allows lxc-attach to work. Signed-off-by:
-
- 01 Mar, 2013 4 commits
-
-
Serge Hallyn authored
This patch enables lxc-attach to join the profile of the container it is attaching to. Builds/runs fine with apparmor enabled and disabled. Export new aa_get_profile(), and use it for attach_apparmor, but also handle profile names longer than 100 chars in lxc_start apparmor support. Signed-off-by:
-
Anthony Wu authored
Signed-off-by:
Anthony Wu <wu@learnsprout.com> Acked-by:
-
Stéphane Graber authored
The python api test script was using @LXCPATH@ for one of its checks. Now that the lxcpath is exposed by the lxc python module directly, this can be dropped and api_test.py can now become a simple python file without needing pre-processing by autoconf. Signed-off-by:
-
Stéphane Graber authored
Add initial support for showing and querying nested containers. This is done through a new --nesting argument to lxc-ls and uses lxc-attach to go look for sub-containers. Known limitations include the dependency on setns support for the PID and NETWORK namespaces and the assumption that LXCPATH for the sub-containers matches that of the host. Signed-off-by:
-
- 28 Feb, 2013 8 commits
-
-
Serge Hallyn authored
Update template to install openSUSE 12.3 Signed-off-by:
Frederic Crozat <fcrozat@suse.com> Signed-off-by:
-
Jiri Slaby authored
Otherwise the output looks like: Copying rootfs to /var/lib/lxc/tomcat/rootfs ...Please change root-password ! Signed-off-by: -
Jiri Slaby authored
Fail if something goes wrong. We used to continue and show one failure after another. Signed-off-by: -
Jiri Slaby authored
Base no longer provides bash, sed and tar, but we need those. So add them. Signed-off-by: -
Frederic Crozat authored
This adaptation of systemd. We also add network configuration support. Jiri Slaby: cleanups, rebase Signed-off-by: -
Frederic Crozat authored
When cgroup can't be moved, it might be a hint container is already running. Signed-off-by: -
Frederic Crozat authored
- mount /run on tmpfs outside container - replace /var/run bind mount on /run by a symlink Signed-off-by: -
Frederic Crozat authored
- create /etc/hostname as symlink to /etc/HOSTNAME - fix inadequate space in lxc.mount config, preventing lxc-clone to work Jiri Slaby: some cleanups Signed-off-by:
-
- 22 Feb, 2013 2 commits
-
-
Dwight Engen authored
got link error liblxc.so: undefined reference to `clock_gettime' clock_gettime is used by lxclock.c and is in librt, or bionic libc. Signed-off-by:
-
Jäkel, Guido authored
Allow for an additional --host parameter to lxc-ps hiding all processes running in containers. Signed-off-by:
Guido Jäkel <G.Jaekel@dnb.de> Signed-off-by:
-
- 21 Feb, 2013 1 commit
-
-
Dwight Engen authored
this makes "make rpm" work again Signed-off-by:
-
