- 22 Sep, 2014 1 commit
-
-
Serge Hallyn authored
This idea came from Andy Lutomirski. Instead of using a temporary directory for the pivot_root put-old, use "." both for new-root and old-root. Then fchdir into the old root temporarily in order to unmount the old-root, and finally chdir back into our '/'. Drop lxc.pivotdir from the lxc.container.conf manpage. Warn when we see a lxc.pivotdir entry (but keep it in the lxc.conf for now). Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 19 Sep, 2014 14 commits
-
-
William Dauchy authored
quiet mode was overriden by the double call of lxc_log_init see lxc_container_new use lxc_log_options_no_override in order to fix this Signed-off-by:
William Dauchy <william@gandi.net>
-
Serge Hallyn authored
Introduce a new list of controllers just containing "all". Make the lists of controllers null-terminated. If the cgmanager api version is high enough, use the 'all' controller rather than walking all controllers, which should greatly reduce the amount of dbus overhead. This will be especially important for those going through a cgproxy. Also remove the call to cleanup cgroups when a cgroup existed. That usually fails (and failure is ignored) since the to-be-cleaned-up cgroup is busy, but we shouldn't even be trying. Note this can create for extra un-cleanedup cgroups, however it's better than us accidentally removing a cgroup that someone else had created and was about to use. Signed-off-by:
-
Tycho Andersen authored
Looks like lxc-checkpoint was missing the log inititalization code, so it never actually logged anything when the options were provided. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
Tycho Andersen authored
CRIU 1.3 has a pretty crippling deadlock which will cause dumping containers to fail fairly often. This is fixed in criu 1.3.1, so we shouldn't run the tests on anything less than that. Signed-off-by:
-
Tycho Andersen authored
After looking through some logs, it is a little cleaner to do it as below, instead of what I originally posted. Tycho In order for LXC to be the parent of the restored process, CRIU needs to restore init as its sibling, not as its child. This was previously accomplished essentially via luck :). CRIU now has a --restore-sibling option which forces this behavior that LXC expects. See more discussion in this thread: http://lists.openvz.org/pipermail/criu/2014-September/thread.html#16330 v2: don't pass --restore-sibling to dump. This is mostly cosmetic, but will look less confusing in the logs if people ever look at them. Signed-off-by:
-
Serge Hallyn authored
Explain why we insist that root use newuidmap if it is available. Signed-off-by:
-
TAMUKI Shoichi authored
Call tar with --numeric-owner option to use numbers for user/group names because the whole uid/gid in rootfs should be consistently unchanged as in original stage3 tarball and private portage. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
-
Tycho Andersen authored
We can also narrow the scope of this, since we only need it in the process that is actually going to use it. Reported-by:
-
Tycho Andersen authored
If we just return here, we end up with two processes executing the caller's code, which is not good. Signed-off-by:
-
Tycho Andersen authored
criu version 1.3 has been tagged, which has the minimal set of patches to allow checkpointing and restoring containers. lxc-test-checkpoint-restore is now skipped on any version of criu lower than 1.3. Signed-off-by:
-
Tycho Andersen authored
This option is required when migrating containers across hosts; it is used to restore inotify via file paths instead of file handles, which aren't preserved across hosts. Signed-off-by:
-
TAMUKI Shoichi authored
Regardless of whether "installpkg" command exists or not, install the command temporarily with static linked tar command into the lxc cache directory to keep the original uid/gid of files/directories. Also, use sed command instead of ed command for simplicity. Signed-off-by:
-
Serge Hallyn authored
And add a testcase. The code to update hwaddrs in a clone was walking through the container configuration and re-printing all network entries. However network entries from an include file which should not be printed out were being added to the unexpanded config. With this patch, at clone we simply update the hwaddr in-place in the unexpanded configuration file, making sure to make the same update to the expanded network configuration. The code to update out lxc.hook statements had the same problem. We also update it in-place in the unexpanded configuration, though we mirror the logic we use when updating the expanded configuration. (Perhaps that should be changed, to simplify future updates) This code isn't particularly easy to review, so testcases are added to make sure that (1) extra lxc.network entries are not added (or removed), even if they are present in an included file, (2) lxc.hook entries are not added, (3) hwaddr entries are updated, and (4) the lxc.hook entries are properly updated (only when they should be). Reported-by:
-
Stéphane Graber authored
Those aren't supported, it's just a lucky coincidence that they weren't causing problems. Signed-off-by:
-
- 04 Sep, 2014 1 commit
-
-
Jean-Tiare LE BIGOT authored
When managing containers, I need to take action based on container exit status. For instance, if it exited abnormally (status!=0), I sometime want to respawn it automatically. Or, when invoking `lxc-stop` I want to know if it terminated gracefully (ie on `SIGTERM`) or on `SIGKILL` after a timeout. This patch adds a new message type `lxc_msg_exit_code,` to preserve ABI. It sends the raw status code as returned by `waitpid` so that listening application may want to apply `WEXITSTATUS` before. This is what `lxc-monitor` does. Signed-off-by:Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net>
-
- 29 Aug, 2014 1 commit
-
-
Serge Hallyn authored
To ask cgmanager to chown files as an unpriv user, we must send the request from the container's namespace (with our own userid also mapped in). However when we create a new namespace then we must open a new dbus connection, so that our credential and the credential on the dbus socket match. Otherwise the proxy will refuse the request. Because we were warning about this failure but not exiting, the failure was not noticed until the unprivileged container went on to try to administer its cgroups, i.e. creating a container inside itself. Fix this by having the do_chown_cgroup create a new cgmanager connection. In order to reduce the number of connections, since the list of subsystems is global anyway, don't call do_chown_cgroup once for each controller, just call it once and have it run over all controllers. (This patch does not change the fact that we don't fail if the chown failed. I think we should change that, but let's do it in a later patch) Reported-by:
-
- 27 Aug, 2014 1 commit
-
-
KATOH Yasufumi authored
Update for commit 735f2c6eSigned-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
- 26 Aug, 2014 4 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
S.Çağlar Onur authored
With the new hashed command socket names (e8589841), it's possible to have something like below; [caglar@qop:~/go/src/github.com/lxc/go-lxc(master)] cat /proc/net/unix | grep lxc 0000000000000000: 00000002 00000000 00010000 0001 01 53465 @lxc/d086e835c86f4b8d/command [...] list_active_containers reads /proc/net/unix to find all running containers but this new format no longer includes the container name or its lxcpath. This patch introduces two new commands (LXC_CMD_GET_NAME and LXC_CMD_GET_LXCPATH) and starts to use those in list_active_containers call. changes since v1: - added sanity check proposed by Serge Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Tycho Andersen authored
This patch adds support for checkpointing and restoring containers via CRIU. It adds two api calls, ->checkpoint and ->restore, which are wrappers around the CRIU CLI. CRIU has an RPC API, but reasons for preferring exec() are discussed in [1]. To checkpoint, users specify a directory to dump the container metadata (CRIU dump files, plus some additional information about veth pairs and which bridges they are attached to) into this directory. On restore, this information is read out of the directory, a CRIU command line is constructed, and CRIU is exec()d. CRIU uses the lxc-restore-net callback (which in turn inspects the image directory with the NIC data) to properly restore the network. This will only work with the current git master of CRIU; anything as of a152c843 should work. There is a known bug where containers which have been restored cannot be checkpointed [2]. [1]: http://lists.openvz.org/pipermail/criu/2014-July/015117.html [2]: http://lists.openvz.org/pipermail/criu/2014-August/015876.html v2: fixed some problems with the s/int/bool return code form api function v3: added a testcase, fixed up the man page synopsis v4: fix a small typo in lxc-test-checkpoint-restore v5: remove a reference to the old CRIU_PATH, and a bad error about the same Signed-off-by:
-
- 25 Aug, 2014 7 commits
-
-
Daniel Miranda authored
distutils can't handle paths to source files containing '..'. It will try to navigate away from the build directory and fail. To fix that, before building the python module, transform all the path variables then cd to the srcdir, and set the build directory manually. This is hopefully the last needed fix to use separate build and source diretories. Signed-off-by:
Daniel Miranda <danielkza2@gmail.com> Acked-by:
-
Daniel Miranda authored
Now that default.conf is generated/linked during the configuration phase, it should not longer be removed in the 'clean' stage, or subsequent builds will fail. Only remove it during 'dist-clean'. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
Just setting path isn't enough. Clear the whole environment, and only set $PATH. It's all we need - ovs-vsctl is running fine this way. Signed-off-by:
-
Bill Kolokithas authored
Signed-off-by:
Bill Kolokithas <kolokithas.b@gmail.com> Acked-by:
-
Denis Pynkin authored
Added check of services in container before start or stop. Added check of syslog config existence prior changing. Signed-off-by:
Denis Pynkin <dans@altlinux.org> Acked-by:
-
- 22 Aug, 2014 11 commits
-
-
Serge Hallyn authored
1. don't determine ovs-vsctl path at configure time, do it at runtime 2. lxc-user-nic: set a sane path to protect from unpriv users Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
-
Serge Hallyn authored
If statvfs does not exist, then don't recalculate mount flags at remount. If someone does need this, they could replace the code (only if !HAVE_STATVFS) with code parsing /proc/self/mountinfo (which exists in the recent git history) Signed-off-by:
-
Serge Hallyn authored
Same problem as we had with mount_entry(). lxc_mount_auto_mounts() sometimes does bind mount followed by remount to change options. With recent kernels it must pass any preexisting NODEV/NOSUID/etc flags. Signed-off-by:
-
Serge Hallyn authored
Use statvfs instead of parsing /proc/self/mountinfo to check for the flags we need to and into the msbind mount flags. This will be faster and the code is cleaner. Signed-off-by:
-
Daniel Miranda authored
Building LXC in a separate target directory, by running configure from outside the source tree, failed with multiple errors, mostly in the Python and Lua extensions, due to assuming the source dir and build dir are the same in a few places. To fix that: - Pre-process setup.py with the appropriate directories at configure time - Introduce the build dir as an include path in the Lua Makefile - Link the default container configuration file from the alternatives in the configure stage, instead of setting a variable and using it in the Makefile Signed-off-by:
-
Serge Hallyn authored
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs and running setuid-root applications to get write access to u1's container rootfs. v2: set umask to 002 for the mkdir. Otherwise if umask happens to be, say, 022, then user does not have write permissions under the container dir and creation of $containerdir/partial file will fail. Signed-off-by:
-
Serge Hallyn authored
When we read a lxc.network.hwaddr line, if it contained any 'x's then those get quitely filled in at config_network_hwaddr. If that happens then we want to save the autogenerated hwaddr in the unexpanded config so that when we write it to disk, it is saved. This patch dumbly re-generates the network configuration in the unexp configuration every time we load a config file, just as we do after every clone. Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
-
S.Çağlar Onur authored
Unprivileged users require "-o user_subvol_rm_allowed" mount option for btrfs. Make the INFO level message to ERROR to make it clear, which now says following; [caglar@qop:~] lxc-destroy -n rubik lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed? lxc_container: Error destroying rootfs for rubik Destroying rubik failed Signed-off-by:
-
Serge Hallyn authored
If we didn't find newuidmap, then simply require the caller to be root and write to /proc/self/uidmap manually. Checking for newgidmap to exist is bogus. Signed-off-by:
-
