- 22 Apr, 2015 4 commits
-
-
Tycho Andersen authored
Note that we allow both a tagged version or a git build that has sufficient patches for the features we require. v2: close criu's stderr too Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Tycho Andersen authored
Trying to cage the beast that is lxccontainer.c. Signed-off-by:
-
Tycho Andersen authored
As of criu 1.5, the --veth-pair argument supports an additional parameter that is the bridge name to attach to. This enables us to get rid of the goofy action-script hack that passed bridge names as environment variables. This patch is on top of the systemd/lxcfs mount rework patch, as we probably want to wait to use 1.5 options until it has been out for a while and is in distros. Signed-off-by:
-
Tycho Andersen authored
CRIU now supports autodetection of external mounts via the --ext-mount-map auto --enable-external-sharing --enable-external-masters options, so we don't need to explicitly pass the cgmanager mount or any of the mounts from the config. This also means that lxcfs mounts (since they are bind mounts from outside the container) are autodetected, meaning that c/r of containers using lxcfs works. A further advantage of this patch is that it addresses some of the ugliness that was in the exec_criu() function. There are other criu options that will allow us to trim this even further, though. Finally, with --enable-external-masters, criu understands slave mounts in the container with shared mounts in the peer group that are outside the namespace. This allows containers on a systemd host to be dumped and restored correctly. However, these options have just landed in criu trunk today, and the next tagged release will be 1.6 on June 1, so we should avoid merging this into any stable releases until then. v2: remount / as private before bind mounting the container's directory for criu. The problem here is that if / is mounted as shared, even if we unshare() the /var/lib/lxc/rootfs mountpoint propagates outside of our mount namespace, which is bad, since we don't want to leak mounts. In particular, this leak confuses criu the second time it goes to checkpoint the container. v3: whoops, we really want / as MS_SLAVE | MS_REC here, to match what start does v4: rebase onto master for revert of logging patch Signed-off-by:
-
- 14 Apr, 2015 4 commits
-
-
Serge Hallyn authored
This is hopefully temporary - it works great for lxc itself, but seems to be upsetting golang. Signed-off-by:
-
Serge Hallyn authored
This breaks code that depended on the monitor being fully dead before c->stop() returns. This reverts commit 62e04161.
-
Serge Hallyn authored
This breaks lxc-test-concurrent. This reverts commit fef9aa89.
-
Serge Hallyn authored
In the past, lxc-cmd-stop would wait until the command pipe was closed before returning, ensuring that the container monitor had exited. Now that we accept the actual success return value, lxcapi_stop can return success before the monitor has fully exited. So explicitly wait for the container to stop, when lxc-cmd-stop returned success. Signed-off-by:
-
- 13 Apr, 2015 7 commits
-
-
Tycho Andersen authored
Instead, check that the result is larger than its parts. Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Laurent Vivier authored
URL for packages and LiveOS differs from x86, x86_64 and ARM. This patch allows to select the good mirror URL according to the architecture. Primary architecture: http://mirrors.kernel.org/fedora Secondary architecture: http://mirrors.kernel.org/fedora-secondary The managed secondary architectures are only ppc64 and s390x, the secondary architectures for Fedora 20 (the base of initial bootstrap). Signed-off-by:
Laurent Vivier <Laurent@Vivier.EU> Acked-by:
-
Tycho Andersen authored
We've already checked that c is not null above, so the false branch can never be taken here. Reported-by: Coverity Signed-off-by:
-
Tycho Andersen authored
lxc_console dereferences C, so we should check that it is not null and fail if it is. Reported-by: Coverity Signed-off-by:
-
Tycho Andersen authored
Reported-by: Coverity Signed-off-by:
-
Tycho Andersen authored
1. don't cast to long 2. check overflow before addition v2: just remove the cast, don't change the type of the variables Reported-by: Coverity Signed-off-by:
-
Serge Hallyn authored
These are two fixes for long, long-standing bugs. 1. When we stop a container from the lxc_cmd stop handler, we kill its init task, then we unfreeze the container to make sure it receives the signal. When that unfreeze succeeds, we were immediately returning 0, without sending a response to the invoker. 2. lxc_cmd returns the length of the field received. In the case of an lxc_cmd_stop this is 16. But a comment claims we expect no response, only a 0. In fact the handler does send a response, which may or may not include an error. So don't call an error just because we got back a response. Signed-off-by:
-
- 10 Apr, 2015 2 commits
-
-
Tycho Andersen authored
Signed-off-by:
-
Tycho Andersen authored
Since attach asks the restore process what the clone flags were, if we forgot to set them then the attach command ran in the hosts namespaces instead of the containers, which is a Very Bad Thing :). Instead, we remember to set the clone flags in the restore process' handler, so that we report them correctly to any attach processes who ask. Signed-off-by:
-
- 07 Apr, 2015 1 commit
-
-
teruo-oshida authored
$container_rootfs may not be used so 'sed' will try to patch "/etc/init/tty.conf". It must not be correct. Signed-off-by:
Teruo Oshida <teruo.oshida@miraclelinux.com> Acked-by:
-
- 06 Apr, 2015 18 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Tycho Andersen authored
Signed-off-by:
-
Tycho Andersen authored
It is impolite to print stuff to stderror owned by other people, and they might miss it anyway since it's not in the normal log location. Signed-off-by:
-
Tycho Andersen authored
Instead, the parent always writes a status to the pipe. Signed-off-by:
-
Tycho Andersen authored
Previously, lxcapi_restore used the calling process as the lxc monitor process (and just never returned), requiring users to fork before calling it. This, of course, would cause problems for things like LXD, which can't fork. Now, restore() forks the monitor as a child of the process that calls it. Users who want to daemonize the restore process need to fork themselves. lxc-checkpoint has been updated to reflect this behavior change. Signed-off-by:
-
Stéphane Graber authored
If an unprivileged ephemeral container is started as follows, lxc-start-ephemeral -o trusty -n test_ephemeral Then an empty directory remains upon exit from the container, ~/.local/share/lxc/test_ephemeral/tmpfs/delta0 (The tmpfs filesystem is successfully unmounted, but we seem to lack permission to delete the delta0 directory). This issue arose following commits 4799a1e7 and dd2271e6 . The following patch resolves the issue. It has been tested on ubuntu 14.04 with the lxc-daily ppa. Since gmail screws up the formatting of the patch via line-wrapping etc, please copy the patch from the issue-tracker rather than from this email. Signed-off by: Oleg Freedholm <overlayfs@gmail.com> Acked-by: -
Serge Hallyn authored
to make sure the parent's read returns. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 8158c057Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Tycho Andersen authored
CRIU needs to be told when something is bind mounted into the container from the outside as cgmanager's socket is. Signed-off-by:
-
Arjun Sreedharan authored
Signed-off-by:
Arjun Sreedharan <arjun024@gmail.com> Acked-by:
-
Serge Hallyn authored
One of the 'features' of overlayfs is that depending on whether a file is on the upper or lower dir you get back a different device from stat. That breaks our lxc_rmdir_onedev. So at lxc_rmdir_ondev check the device of the directory being deleted. If it is overlayfs, then skip the device check. Note this is unrelated to overlayfs snapshots - in those cases when you delete a container, /var/lib/lxc/$container/ does not actually have an overlayfs under it. Rather, to reproduce this you would sudo mkdir /opt/{lower,upper,workdir} sudo mount -t overlayfs -o lower=/opt/lower,upper=/opt/upper,workdir=/opt/workdir \ lxc /var/lib/lxc sudo lxc-create -t download -n c1 -- -d ubuntu -r trusty -a amd64 sudo lxc-destroy -n c1 Signed-off-by:Marko Ratkaj <marko.ratkaj@sartura.hr> Acked-by:
-
Serge Hallyn authored
This is only called at startup so it wasn't a big leak, but it is a leak. Signed-off-by:
-
Serge Hallyn authored
Currently if we are in /user.slice/user-1000.slice/session-c2.scope, and we start an unprivileged container t1, it will be in cgroup 3:memory:/user.slice/user-1000.slice/session-c2.scope/t1. If we then do a 'lxc-cgroup -n t1 freezer.tasks', cgm_get will first switch to 3:memory:/user.slice/user-1000.slice/session-c2.scope then look up 't1's values. The reasons for this are 1. cgmanager get_value is relative to your own cgroup, so we need to be sure to be in t1's cgroup or an ancestor 2. we don't want to be in the container's cgroup bc it might freeze us. But in Ubuntu 15.04 it was decided that 3:memory:/user.slice/user-1000.slice/session-c2.scope/tasks should not be writeable by the user, making this fail. Therefore put all unprivileged cgroups under "lxc/%n". That way the "lxc" cgroup should always be owned by the user so that he can enter. Signed-off-by:
-
Serge Hallyn authored
The logging code uses a global log_fd and log_level to direct logging (ERROR(), etc). While the container configuration file allows for lxc.loglevel and lxc.logfile, those are only used at configuration file read time to set the global variables. This works ok in the lxc front-end programs, but becomes a problem with threaded API users. The simplest solution would be to not allow per-container configuration files, but it'd be nice to avoid that. Passing a logfd or lxc_conf into every ERROR/INFO/etc call is "possible", but would be a huge complication as there are many functions, including struct member functions and callbacks, which don't have that info and would need to get it from somewhere. So the approach I'm taking here is to say that all real container work is done inside api calls, and therefore the API calls themselves can set a thread-local variable indicating which log info to use. If unset, then use the global values. The lxc-* programs, when called with a '-o logfile' argument, set a global variable to indicate that the user-specified value should be used. In this patch: If the lxc container configuration specifies a loglevel/logfile, only set the lxc_config's logfd and loglevel according to those, not the global values. Each API call is wrapped to set/unset the current_config. (The few exceptions are calls which do not result in any log actions) Update logfile appender to use the logfile specified in lxc_conf if (a) current_config is set and (b) the lxc-* command did not override it. Signed-off-by:
-
Stéphane Graber authored
Allow veth that is not attached to a bridge on unprivileged container
-
Stéphane Graber authored
autostart: Fix bug with containers being started in reverse order
-
- 01 Apr, 2015 2 commits
-
-
Stéphane Graber authored
Added a more reliable test for yum --releasever in the centos template
-
Alexandre Létourneau authored
Signed-off-by:Alexandre Letourneau <letourneau.alexandre@gmail.com>
-
- 30 Mar, 2015 2 commits
-
-
Alexandre Létourneau authored
Signed-off-by: -
Stéphane Graber authored
Correct typo.
-
