- 03 Jun, 2013 1 commit
-
-
Natanael Copa authored
If the package manager, apk-tools is missing, then: - download a static binary and public keys - verify the keys against embedded checksum - verify the signature of the static binary against the downloaded keys - use the verified static binary Signed-off-by:
Natanael Copa <ncopa@alpinelinux.org> Signed-off-by:
Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com>
-
- 31 May, 2013 4 commits
-
-
Serge Hallyn authored
And use it in place of the various ways we were deducing /etc/lxc/default.conf. Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
configure/makefile: rename default_conf to distro_conf, since it is a per-distro default. Then we'll be able to use the symbol LXC_DEFAULT_CONF in the code to refer to the installed file. Signed-off-by:
-
Serge Hallyn authored
Update the LOCKING comment. Take mem_lock in want_daemonize. convert lxcapi_destroy to not use privlock/slock by hand. Fix a coverity-found potential dereference of NULL c->lxc_conf. api_cgroup_get_item() and api_cgroup_set_item(): use disklock, not memlock, since the values are set through the cgroup fs on the running container. Signed-off-by:
-
Serge Hallyn authored
If we abort the container start, and don't wait for the init task to be reaped after we kill it, then we can't remove the container cgroup because it is not empty. Signed-off-by:
-
- 29 May, 2013 4 commits
-
-
Serge Hallyn authored
Those go through commands.c and are already mutex'ed that way. Also remove a unmatched container_disk_unlock in lxcapi_create. Since is_stopped uses getstate which is no longer locked, rename it to drop the _locked suffix. And convert save_config to taking the disk lock. This way the save_ and load_config are mutexing each other, as they should. Changelog: May 29: Per Dwight's comment, take the lock before opening the config FILE *. Only take disklock at load and save_config when we're using the container's config file, not when read/writing from/to another file. Signed-off-by:Dwight Engen <dwight.engen@oracle.com>
-
Dwight Engen authored
Make lxc_cmd_console() return the fd from the socket connection to the caller. This fd keeps the tty slot allocated until the caller closes it. Returning the fd allows for a long lived process to close the fd and reuse consoles. Add API function for console allocation. Create test program for console API. Signed-off-by:
-
Qiang Huang authored
We should use the fd specified by caller. Signed-off-by:
Qiang Huang <h.huangqiang@huawei.com> Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
- 28 May, 2013 2 commits
-
-
Serge Hallyn authored
Technically as Dwight has mentioned we should probably drop the locking from api_state() altogether, since those are protected through the lxc command system. Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
- 26 May, 2013 1 commit
-
-
Serge Hallyn authored
1. implement bdev->create: python and lua: send NULL for bdevtype and bdevspecs. They'll want to be updated to pass those in in a way that makes sense, but I can't think about that right now. 2. templates: pass --rootfs If the container is backed by a device which must be mounted (i.e. lvm) then pass the actual rootfs mount destination to the templates. Note that the lxc.rootfs can be a mounted block device. The template should actually be installing the rootfs under the path where the lxc.rootfs is *mounted*. Still, some people like to run templates by hand and assume purely directory backed containers, so continue to support that use case (i.e. if no --rootfs is listed). Make sure the templates don't re-write lxc.rootfs if it is already in the config. (Most were already checking for that) 3. Replace lxc-create script with lxc_create.c program. Changelog: May 24: when creating a container, create $lxcpath/$name/partial, and flock it. When done, close that file and unlink it. In lxc_container_new() and lxcapi_start(), check for this file. If it is locked, create is ongoing. If it exists but is not locked, create() was killed - remove the container. May 24: dont disk-lock during lxcapi_create. The partial lock is sufficient. Signed-off-by:
-
- 25 May, 2013 6 commits
-
-
Serge Hallyn authored
This requires implementing bdev->ops->destroy() for each of the backing store types. Then implementing lxcapi_clone(), writing lxc_destroy.c using the api, and removing the lxc-destroy.in script. (this also has a few other cleanups, like marking some functions static) Changelog: fold into destroy: fix zfs destroy destroy: use correct program name in help Signed-off-by: -
Serge Hallyn authored
implement c->reboot(c) in the api. Also if the container is not running, return -2. Currently lxc-stop will return 0, so you cannot tell the difference between successfull stopping and noop. Per stgraber's email: - Remove lxc-shutdown - Change lxc-stop so that: * Default behaviour is to call shutdown(), wait 15s for STOPPED, if not STOPPED, print a message to the user and call stop() [ NOTE: actually 60 seconds per followup thread] * We have a -r option to reboot the container (with proper check that the container indeed rebooted within the next 15s) * We have a -s option to shutdown the container without the automatic fallback to stop() * Add a -k option allowing a user to just kill a container (equivalent to old lxc-stop, no shutdown() call and no delay). and update manpages. Signed-off-by: -
Serge Hallyn authored
Create three pairs of functions: int process_lock(void); void process_unlock(void); int container_mem_lock(struct lxc_container *c) void container_mem_unlock(struct lxc_container *c) int container_disk_lock(struct lxc_container *c); void container_disk_unlock(struct lxc_container *c); and use those in lxccontainer.c process_lock() is to protect the process state among multiple threads. container_mem_lock() is to protect a struct container among multiple threads. container_disk_lock is to protect a container on disk. Also remove the lock in lxcapi_init_pid() as Dwight suggested. Fix a typo (s/container/contain) spotted by Dwight. More locking fixes are needed, but let's first the the fundamentals right. How close does this get us? Changelog: v2: fix lxclock compile Signed-off-by:
-
Serge Hallyn authored
The problem: if a task is killed while holding a posix semaphore, there appears to be no way to have the semaphore be reliably autmoatically released. The only trick which seemed promising is to store the pid of the lock holder in some file and have later lock seekers check whether that task has died. Instead of going down that route, this patch switches from a named posix semaphore to flock. The advantage is that when the task is killed, its fds are closed and locks are automatically released. The disadvantage of flock is that we can't rely on it to exclude threads. Therefore c->slock must now always be wrapped inside c->privlock. This patch survived basic testing with the lxcapi_create patchset, where now killing lxc-create while it was holding the lock did not lock up future api commands. Signed-off-by: -
Dwight Engen authored
There were several memory leaks in the cgroup functions, notably in the success cases. The cgpath test program was refactored and additional tests added to it. It was used in various modes under valgrind to test that the leaks were fixed. Simplify lxc_cgroup_path_get() and cgroup_path_get by having them return a char * instead of an int and an output char * argument. The only return values ever used were -1 and 0, which are now handled with NULL and non-NULL returns respectively. Use consistent variable names of cgabspath when refering to an absolute path to a cgroup subsystem or file, and cgrelpath when refering to a container "group/name" within the cgroup heirarchy. Remove unused subsystem argument to lxc_cmd_get_cgroup_path(). Remove unused #define MAXPRIOLEN Make template arg to lxcapi_create() const Signed-off-by:
-
Dwight Engen authored
This fixes the build of lxccontainer.c on systems that have __NR_setns but not HAVE_SETNS. Signed-off-by:
-
- 23 May, 2013 1 commit
-
-
Stéphane Graber authored
The recent port of get_ips() from pure python to the C API came with a couple of API changes for that function call (as were highlighted in the commit message). I somehow didn't notice that lxc-ls was still calling with the old API and so was crashing whenever it was asked to show the ipv4 or ipv6 address. Signed-off-by:
-
- 22 May, 2013 5 commits
-
-
Michael H. Warfield authored
This is just some minor changes in the way the Fedora template is synthesizing the target rootfs_path. Currently, the template uses a path with the container in it twice like this: /var/lib/lxc/rasputin/rasputin/rootfs This happens because the container name is already contained in the "path" and the template appends it a second time. This changes the logic to be congruent with other templates such as lxc-arch. The new behavior will be to create the rootfs like this: /var/lib/lxc/rasputin/rootfs Attached below the jump. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by:
-
Dwight Engen authored
sem_open(3) checks that /dev/shm is SHMFS_SUPER_MAGIC. Normally /dev/shm is mounted in the initramfs created by dracut, but that won't be run for a container so make sure that rc.sysinit mounts /dev/shm. Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
Serge Hallyn authored
Realistically (as Dwight points out) it doesn't seem possible that getline won't return at least one line in this functions, however just to make absolutely sure we don't get a segv on free(NULL), check line != NULL before freeing it on exit. Signed-off-by: -
Dwight Engen authored
Signed-off-by:
-
- 21 May, 2013 3 commits
-
-
Dwight Engen authored
lxccontainer.c:874:4: error: ‘for’ loop initial declarations are only allowed in C99 mode Signed-off-by:
-
Dwight Engen authored
Motivation for this change is to have the ability to get the run-time configuration items from a container, which may differ from its current on disk configuration, or might not be available any other way (for example lxc.network.0.veth.pair). In adding this ability it seemed there was room for refactoring improvements. Genericize the command infrastructure so that both command requests and responses can have arbitrary data. Consolidate all commands into command.c and name them consistently. This allows all the callback routines to be made static, reducing exposure. Return the actual allocated tty for the console command. Don't print the init pid in lxc_info if the container isn't actually running. Command processing was made more thread safe by removing the static buffer from receive_answer(). Refactored command response code to a common routine. Signed-off-by:
-
Stéphane Graber authored
This adds a new get_ips call which takes a family (inet, inet6 or NULL), a network interface (or NULL for all) and a scope (0 for global) and returns a char** of all the IPs in the container. This also adds a matching python3 binding (function result is a tuple) and deprecates the previous pure-python get_ips() implementation. WARNING: The python get_ips() call is quite different from the previous implementation. The timeout argument has been removed, the family names are slightly different (inet/inet6 vs ipv4/ipv6) and an extra scope parameter has been added. Signed-off-by:
-
- 20 May, 2013 7 commits
-
-
Christian Seiler authored
Signed-off-by:
Christian Seiler <christian@iwakd.de> Signed-off-by:
-
Christian Seiler authored
Signed-off-by:
-
Christian Seiler authored
Signed-off-by:
-
Christian Seiler authored
Signed-off-by:
-
Michael H. Warfield authored
Hey all... Patch to the lxc-fedora template to setup gettys on the ttys that are enabled in the configuration. The area of the code already had some modifications to that service that didn't seem to do anything and would get wiped out by an update. I commented that out but subsumed the change it was attempting into my command in case it does something on another rev somewhere. This is very similar to the logic in the OpenSuse template but doesn't seem to appear in other templates, such as arch, which have to deal with systemd. This isn't unique to Fedora. The templates for Fedora, ArchLinux, and OpenSuse are the only three that seem to have any reference to systemd at all. Attached below the jump. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by:
-
Dwight Engen authored
Doing a get_config_item for lxc.network.0.veth.pair only returns the pair name if explicitly given, but it can be useful to know the name even if it is the one that lxc autogenerated. Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
- 17 May, 2013 1 commit
-
-
Serge Hallyn authored
Signed-off-by:
-
- 16 May, 2013 5 commits
-
-
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Add a clone hook called from api_clone. Pass arguments to it from lxc_clone.c. The clone update hook is called while the container's bdev is mounted. Information about the container is passed in through environment variables LXC_ROOTFS_PATH, LXC_NAME, The LXC_ROOTFS_MOUNT, and LXC_CONFIG_FILE. LXC_ROOTFS_MOUNT=/usr/lib/x86_64-linux-gnu/lxc LXC_CONFIG_FILE=/var/lib/lxc/demo3/config LXC_ROOTFS_PATH=/var/lib/lxc/demo3/rootfs LXC_NAME=demo3 So from the hook, updates to the container should be made under $LXC_ROOTFS_MOUNT/ . The hook also receives command line arguments as follows: First argument is container name, second is always 'lxc', third is the hook name (always clone), then come the arguments which were passed to lxc-clone. I.e. when I did: sudo lxc-clone demo2 demo3 -- hey there dude the arguments passed in were "demo3 lxc clone hey there dude" I personally would like to drop the first two arguments. The name is available as $LXC_NAME, and the section argument ('lxc') is meaningless. However, doing so risks invalidating existing hooks. Soon analogous create and destroy hooks will be added as well. Signed-off-by: -
Serge Hallyn authored
When starting a container, we walk through all cgroup mounts looking for a unique directory name we can use for this container. If the name we are trying is in use, we try another name. If it is not in use in the first mount we check, we need to check other hierarchies as it may exist there. But we weren't checking whether we have already checked a subsystem - so that if freezer was mounted twice, we would create it in the first mount, see it exists in the second, so start over trying in the second mount. To fix this, keep track of which subsystems we have already checked, and do not re-check. (See http://pad.lv/1176287 for a bug report) Note we still need to add, at the next: label, the removal of the directories we've already created. I'm keeping that for later as it's far lower priority than this fix, and I don't want to risk introducing a regression for that. Signed-off-by:
-
Dwight Engen authored
This allows some special cgroup items such as memory.kmem.limit_in_bytes to be successfully set, since they must be set before any task is put into the cgroup. The devices cgroup is setup later giving the container a chance to mount file systems before the device it might want to mount from becomes unavailable. Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
