- 18 Dec, 2017 4 commits
-
-
Serge Hallyn authored
start: reap intermediate process
-
Christian Brauner authored
When we inherit namespaces we need to reap the attaching process. Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
conf.c: add relative option for lxc.mount.entry
-
Yifeng Tan authored
Signed-off-by:Yifeng Tan <tanyifeng1@huawei.com>
-
- 15 Dec, 2017 1 commit
-
-
Serge Hallyn authored
lxc_init: fix cgroup parsing
-
- 14 Dec, 2017 25 commits
-
-
Serge Hallyn authored
utils: use lxc_raw_clone() in run_command()
-
Christian Brauner authored
coverity: #1426132 coverity: #1426133 Signed-off-by: -
Christian Brauner authored
coverity: #1426131 Signed-off-by: -
Serge Hallyn authored
commands: fix race when open()/close() cmd socket
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
This is based on raw_clone in systemd but adapted to our needs. The main reason is that we need an implementation of fork()/clone() that does guarantee us that no pthread_atfork() handlers are run. While clone() in glibc currently doesn't run pthread_atfork() handlers we should be fine but there's no guarantee that this won't be the case in the future. So let's do the syscall directly - or as direct as we can. An additional nice feature is that we get fork() behavior, i.e. lxc_raw_clone() returns 0 in the child and the child pid in the parent. Our implementation tries to make sure that we cover all cases according to kernel sources. Note that we are not interested in any arguments that could be passed after the stack. Signed-off-by: -
Christian Brauner authored
add --share-$NS= support to lxc-execute
-
Christian Brauner authored
dir_detect: warn on eperm
-
Christian Brauner authored
criu: add feature check capability
-
Christian Brauner authored
When we report STOPPED to a caller and then close the command socket it is technically possible - and I've seen this happen on the test builders - that a container start() right after a wait() will receive ECONNREFUSED because it called open() before we close(). So for all new state clients simply close the command socket. This will inform all state clients that the container is STOPPED and also prevents a race between a open()/close() on the command socket causing a new process to get ECONNREFUSED because we haven't yet closed the command socket. Signed-off-by: -
Adrian Reber authored
This adds a simple test case which verifies that the new migrate() API command 'MIGRATE_FEATURE_CHECK' works as expected. If a feature does not exist on the currently running architecture/kernel/criu combination it does not report an error as this is a valid scenario. Signed-off-by:Adrian Reber <areber@redhat.com>
-
Adrian Reber authored
For migration optimization features like pre-copy or post-copy migration the support cannot be determined by simply looking at the CRIU version. Features like that depend on the architecture/kernel/criu combination and CRIU offers a feature checking interface to query if it is supported. This adds a LXC interface to query CRIU for those feature via the migrate() API call. For the recent pre-copy migration support in LXD this can be used to automatically detect if pre-copy migration should be used. In addition to the existing migrate() API commands this adds a new command: 'MIGRATE_FEATURE_CHECK'. The migrate_opts{} structure is extended by the member features_to_check which is a bitmask defining which CRIU features should be queried. Currently only the querying of the features FEATURE_MEM_TRACK and FEATURE_LAZY_PAGES is supported. Signed-off-by: -
Serge Hallyn authored
if user has lxc.rootfs.path = /some/path/foo, but can't access some piece of that path, then we'll get an unhelpful "failed to mount" without any indication of the problem. At least show that there is a permission problem. Signed-off-by:Serge Hallyn <shallyn@cisco.com>
-
Tycho Andersen authored
Signed-off-by:Tycho Andersen <tycho@tycho.ws>
-
Serge Hallyn authored
confile: add lxc.hook.version
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Unblocks #2013. Unblocks #2015. Closes #1766. Signed-off-by: -
Christian Brauner authored
Unblocks #2013. Unblocks #2015. Closes #1766. Signed-off-by: -
Christian Brauner authored
Unblocks #2013. Unblocks #2015. Closes #1766. Signed-off-by: -
Christian Brauner authored
This can be used by scripts to detect what version of the hooks are used. Unblocks #2013. Unblocks #2015. Closes #1766. Signed-off-by: -
Christian Brauner authored
Unblocks #2013. Unblocks #2015. Closes #1766. Signed-off-by: -
Serge Hallyn authored
start: fix cgroup namespace preservation
-
Tycho Andersen authored
Signed-off-by: -
Tycho Andersen authored
...otherwise we'll kill everyone on the machine. Instead, let's explicitly try to kill our children. Let's do a best effort against fork bombs by disabling forking via the pids cgroup if it exists. This is best effort for a number of reasons: * the pids cgroup may not be available * the container may have bind mounted /dev/null over pids.max, so the write doesn't do anything Signed-off-by:
-
- 13 Dec, 2017 7 commits
-
-
Stéphane Graber authored
coverity: bugfixes
-
Stéphane Graber authored
lxccontainer: only attach netns on netdev detach
-
Stéphane Graber authored
tools: block using lxc-execute without config file
-
Stéphane Graber authored
conf: avoid spawning unnecessary subshells
-
Stéphane Graber authored
start: do not unconditionally dup std{in,out,err} -
Christian Brauner authored
confile: add lxc.proc.* to set proc filesystem
-
Yifeng Tan authored
Signed-off-by:
-
- 12 Dec, 2017 3 commits
-
-
Christian Brauner authored
Prior to this patch we raced with a very short-lived init process. Essentially, the init process could exit before we had time to record the cgroup namespace causing the container to abort and report ABORTING to the caller when it actually started just fine. Let's not do this. (This uses syscall(SYS_getpid) in the the child to retrieve the pid just in case we're on an older glibc version and we end up in the namespace sharing branch of the actual lxc_clone() call.) Additionally this fixes the shortlived tests. They were faulty so far and should have actually failed because of the cgroup namespace recording race but the ret variable used to return from the function was not correctly initialized. This fixes it. Furthermore, the shortlived tests used the c->error_num variable to determine success or failure but this is actually not correct when the container is started daemonized. Signed-off-by: -
Christian Brauner authored
The error_num value doesn't tell us anything since the container hasn't exited. Signed-off-by: -
Christian Brauner authored
Starting with commit commit c5b93afb Author: Li Feng <lifeng68@huawei.com> Date: Mon Jul 10 17:19:52 2017 +0800 start: dup std{in,out,err} to pty slave In the case the container has a console with a valid slave pty file descriptor we duplicate std{in,out,err} to the slave file descriptor so console logging works correctly. When the container does not have a valid slave pty file descriptor for its console and is started daemonized we should dup to /dev/null. Closes #1646. Signed-off-by:Li Feng <lifeng68@huawei.com> Signed-off-by:
Felix Abecassis <fabecassis@nvidia.com> Signed-off-by:
-
