- 19 May, 2014 2 commits
-
-
KATOH Yasufumi authored
Update for commit f1c26f2cSigned-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
KATOH Yasufumi authored
Update for commit 6191f4f4Signed-off-by:
-
- 16 May, 2014 5 commits
-
-
Serge Hallyn authored
For years it has been best practice to use a relative path as the mount target. But the manpage hasn't reflect that. Fix it. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Dwight Engen <dwight.engen@oracle.com>
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
backing stores supported by qemu-nbd can be attached to a nbd block device using qemu-nbd. This user-space process (pair) stays around for the duration of the device attachment. Obviously we want it to go away when the container shuts down, but not before the filesystems have been cleanly unmounted. The device attachment is done from the task which will become the container monitor before the container setup+init task is spawned. That task starts in a new pid namespace to ensure that the qemu-nbd process will be killed if need be. It sets its parent death signal to sighup, and, on receiving sighup, attempts to do a clean qemu-device detach, then exits. This should ensure that the device is detached if the qemu monitor crashes or exits. It may be worth adding a delay before the qemu-nbd is detached, but my brief tests haven't seen any data corruption. Only the parts required for running a nbd-backed container are implemented here. Create, destroy, and clone are not. The first use of this that I imagine is for people to use downloaded nbd-backed images (like ubuntu cloud images, or anything previously used with qemu). I imagine people will want to create/clone/destroy out of band using qemu-img, but if I'm wrong about that we can implement the rest later. Because attach_block_device() is done before the bdev is initialized, and bdev_init needs to know the nbd index so that it can mount the filesystem, we now need to pass the lxc_conf. file_exists() is moved to utils.c so we can use it from bdev.c The nbd attach/detach should lay the groundwork for trivial implementation of qed and raw images. changelog (may 12): fix idx check at detach changelog (may 15): generalize qcow2 to nbd Signed-off-by:
-
Dwight Engen authored
This is a fix to commit 5f2ea8cf. Sorry, not sure how I missed this in testing the original patch. Signed-off-by:
-
- 13 May, 2014 2 commits
-
-
Edvinas Klovas authored
when using btrfs backend lxc-create first creates rootfs in /usr/lib/lxc/rootfs directory before moving it to /var/lib/lxc or other directory supplied by the command line. Archlinux template relied in $rootfs_path which made containers created with btrfs backend have lxc.rootfs set to /usr/lib/lxc/rootfs. By using $path instead of $rootfs_path we make sure that lxc.rootfs is always correct. Signed-off-by:
Edvinas Klovas <edvinas@pnd.io> Acked-by:
-
Dwight Engen authored
Don't spawn a getty on /dev/console when running under libvirt-lxc Signed-off-by:
-
- 09 May, 2014 1 commit
-
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
- 08 May, 2014 2 commits
-
-
Serge Hallyn authored
On older cgmanager the support was broken. So rather than fail container starts altogether, just keep the old lxc behavior in this case by not using name= subsystems. Signed-off-by:
-
KATOH Yasufumi authored
commit aafea1f7 was incomplete. Signed-off-by:
-
- 07 May, 2014 7 commits
-
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
Edvinas Klovas authored
archlinux is using systemd and systemd's configuration does not have any services setup to handle sigpwr hook which is sent by lxc-stop command. By enabling sigpwr service we make sure that lxc-stop will work. Signed-off-by:
-
Serge Hallyn authored
If an unprivileged user does 'lxc-start -n u1' in one login session, followed by 'lxc-attach -n u1' in another session, the attach will fail if the sessions are in different cgroups. The same is true of lxc-cgroup commands. Address this by using the GetPidCgroupAbs and MovePidAbs which work with the containers' cgroup path relative to the cgproxy. Since GetPidCgroupAbs is new to api version 3 in cgmanager, use the old method if we are on an older cgmanager. Signed-off-by:
-
Serge Hallyn authored
Read /proc/self/cgroup instead of /proc/cgroups, so as to catch named subsystems. Otherwise the contaienrs will not be fully moved into the container cgroups. Also free line which was being leaked. Signed-off-by:
-
Serge Hallyn authored
Do this by calling the bdev->destroy() hook from a user namespace configured as the container's. Signed-off-by:
-
Serge Hallyn authored
btrfs subvolume ioctls are usable by unprivileged users, so allow unprivileged containers to reside on btrfs. This patch does not yet enable destroy. Signed-off-by:
-
- 06 May, 2014 8 commits
-
-
Dwight Engen authored
Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 0769b82aSigned-off-by:
-
KATOH Yasufumi authored
Update for commit b46f0553Signed-off-by:
-
Christian Seiler authored
If the user specifies cgroup or cgroup-full without a specifier (:ro, :rw or :mixed), this changes the behavior. Previously, these were simple aliases for the :mixed variants; now they depend on whether the container also has CAP_SYS_ADMIN; if it does they resolve to the :rw variants, if it doesn't to the :mixed variants (as before). If a container has CAP_SYS_ADMIN privileges, any filesystem can be remounted read-write from within, so initially mounting the cgroup filesystems partially read-only as a default creates a false sense of security. It is better to default to full read-write mounts to show the administrator what keeping CAP_SYS_ADMIN entails. If an administrator really wants both CAP_SYS_ADMIN and the :mixed variant of cgroup or cgroup-full automatic mounts, they can still specify that explicitly; this commit just changes the default without specifier. Signed-off-by:
Christian Seiler <christian@iwakd.de> Cc: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by:
-
Christian Seiler authored
Currently, setup_caps and dropcaps_except both use the same parsing logic for parsing capabilities (try to identify by name, but allow numerical specification). Since this is a common routine, separate it out to improve maintainability and reuseability. Signed-off-by:
-
Christian Seiler authored
Ubuntu containers have had trouble with automatic cgroup mounting that was not read-write (i.e. lxc.mount.auto = cgroup{,-full}:{ro,mixed}) in containers without CAP_SYS_ADMIN. Ubuntu's mountall program reads /lib/init/fstab, which contains an entry for /sys/fs/cgroup. Since there is no ro option specified for that filesystem, mountall will try to remount it readwrite if it is already mounted. Without CAP_SYS_ADMIN, that fails and mountall will interrupt boot and wait for user input on whether to proceed anyway or to manually fix it, effectively hanging container bootup. This patch makes sure that /sys/fs/cgroup is always a readwrite tmpfs, but that the actual cgroup hierarchy paths (/sys/fs/cgroup/$subsystem) are readonly if :ro or :mixed is used. This still has the desired effect within the container (no cgroup escalation possible and programs get errors if they try to do so anyway), while keeping Ubuntu containers happy. Signed-off-by: -
Stéphane Graber authored
Set a base class for the network object and set the encoding in the header. Neither of those changes are required for python3 but they do make it easier for anyone trying to make a python2 binding. Signed-off-by: -
Serge Hallyn authored
Corrected a small oversight when locking related code was moved from src/lxc/utils.c to src/lxc/lxclock.c. Signed-off-by:
Stephen M Bennett <stephen_m_bennett@hotmail.com> Signed-off-by:
-
- 05 May, 2014 1 commit
-
-
Stéphane Graber authored
When using --nesting, we exec ourselves in the container context, if we somehow need to dynamically-load modules from there, things break. So make sure we pre-load everything we may need. Signed-off-by:
-
- 02 May, 2014 9 commits
-
-
Stéphane Graber authored
This reverts commit 8d783edc.
-
Stéphane Graber authored
This makes sure we only query lxc.group once and then reuse that list for filtering, listing groups and autostart. When a container is auto-started only as part of a group, autostart will now show by-group instead of yes. Signed-off-by: -
KATOH Yasufumi authored
Update for commit 0f027869Signed-off-by:
-
Serge Hallyn authored
/sys/fs/cgroup is just a size-limited tmpfs, and making it ro does nothing to affect our ability alter mount settings of its subdirs. OTOH making it ro can upset mountall in the container which tries to remount it rw, which may be refused. So just don't do it. Signed-off-by:
-
Stéphane Graber authored
There wasn't a good reason for that limit, we can simply make the code slightly slower when --groups is passed and still have the expected output even without --fancy. Signed-off-by: -
KATOH Yasufumi authored
Update for commit 50040b5eSigned-off-by:
-
KATOH Yasufumi authored
Update for commit 0e98b3bdSigned-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
This introduces a new -g/--group argument to filter containers based on their groups. This supports the rather obvious: --group blah Which will only list containers that are in group blah. It may also be passed multiple times: --group blah --group bleh Which will list containers that are in either (or both) blah or bleh. And it also takes: --group blah,bleh --group doh Which will list containers that are either in BOTH blah and bleh or in doh. Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Acked-by:
-
- 01 May, 2014 2 commits
-
-
Serge Hallyn authored
This should address https://github.com/lxc/lxc/issues/199Signed-off-by:
-
Nikolay Martynov authored
lxc-init got moved into SBINDIR/init.lxc recently. This broke sshd template because path wasn't updated there. This patch should fix this issue. Signed-off-by:
Nikolay Martynov <mar.kolya@gmail.com> Acked-by:
-
- 30 Apr, 2014 1 commit
-
-
Carlo Landmeter authored
Signed-off-by:
Carlo Landmeter <clandmeter@gmail.com> Acked-by:
-
