- 23 Jan, 2013 1 commit
-
-
Stéphane Graber authored
The logfile changes broke lxc-info and possibly more command line tools. Revert for now until we get those issues addressed. This reverts commit b8e0503a.
-
- 22 Jan, 2013 4 commits
-
-
Serge Hallyn authored
log_open: make sure the parent directory for logfiles Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
[ Thanks to Stéphane and Dwight for the feedback on the previous patch ] Until now, if a lxc-* (i.e. lxc-start) command did not specify a logfile (with -o logfile), the default was effectively 'none'. With this patch, the default becomes $LOGPATH/<container>/<container>.log. LOGPATH is specified at configure time with '--with-log-path='. If unspecified, it is $LXCPATH, so that logs for container r2 will show up at /var/lib/lxc/r2/r2/log. LOGPATH must exist, while lxc will make sure to create $LOGPATH/<name>. As another example, Ubuntu will likely specify --with-log-path=/var/log/lxc (and place /var/log/lxc into debian/lxc.dirs), placing r2's logs in /var/log/lxc/r2/r2.log. If a container config file specifies 'lxc.logfile', that will override the default. If a '-o logfile' argument is specifed at lxc-start, then that will override both the default and the configuration file entry. Finally, '-o none' can be used to avoid having a logfile at all (in other words, the previous default), and that will override a lxc.logfile entry in the container configuration file. Signed-off-by:
-
Matthias Brugger authored
In lxc-setcap the path to lxc-init wasn't set right, so that a call to the script failed with an error. This patch sets the path to the right directory. Signed-off-by:
Matthias Brugger <matthias.bgg@gmail.com> Acked-by:
-
Dwight Engen authored
This is for consistency with the rest of lxc, and also because type checks for shell builtins, a behavior that we do not want in these cases. Ensure stderr for which is redirected to /dev/null also. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
- 21 Jan, 2013 1 commit
-
-
Serge Hallyn authored
Only the container parent needs to keep that fd open. Close it as soon as the container's first task is spawned. Else it can show up in /proc/$$/fd in the container. Signed-off-by:
-
- 15 Jan, 2013 7 commits
-
-
Stéphane Graber authored
In eglibc st_uid and st_gid are defined as unsigned integers, in bionic those are defined as unsigned long (which is inconsistent with the kernel's defintion that's uint_32). To workaround this problem, simply cast those two to int. Signed-off-by:
-
Stéphane Graber authored
A quick scan through the code showed that lxc-oracle.in is the only file in the branch containing trailing whitespaces, this clears them. Signed-off-by: -
Purcareata Bogdan-B43198 authored
Dropbear implements lightweight SSH2 server and client functionality and is likely to be included in embedded Linux distros. Signed-off-by:
Purcareata Bogdan <B43198@freescale.com> Acked-by:
-
Serge Hallyn authored
The 3.8 kernel now supporst uid mappings, so I believe it's appropriate to proceed with this patchset. The container config supports new entries of the form: lxc.id_map = U 100000 0 10000 lxc.id_map = G 100000 0 10000 meaning map 'virtual' uids (in the container) 0-10000 to uids 100000-110000 on the host, and same for gids. So long as there are mappings specified in the container config, then CONFIG_NEWUSER will be used when the container is cloned. This means that container setup is no longer done with root privilege on the host, only root privilege in the container. Therefore cgroup setup is moved from the init task to the monitor task. To use this patchset, you currently need to either use the raring kernel at ppa:serge-hallyn/usern-natty, or build your own kernel from either git://kernel.ubuntu.com/serge/quantal-userns.git. (Alternatively you can use Eric's tree at the latest userns-always-map-* branch at git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git but you will likely want to at least enable tmpfs mounts in user namespaces) You also need to chown the files in the container rootfs into the mapped range. There is a utility at https://code.launchpad.net/~serge-hallyn/+junk/nsexec to do this. uidmapshift does the chowning, while the container-userns-convert script nicely wraps that program. So I simply sudo lxc-create -t ubuntu -n r1 sudo container-userns-convert r1 200000 will create a container which is shifted so uid 0 in the container is uid 200000 on the host. TODO: when doing setuid(0), need to only do that if 0 is one of the ids we map to. Similarly, when dropping capabilities, need to only not do that if 0 is one of the ids we map to. However, the question of what to do for 'weird' containers in private user namespaces is one I'm punting for later. Signed-off-by:
-
Serge Hallyn authored
This is a first step to enabling user namespaces. When starting a container in a new user namespace, the child will not have the rights to write to the cgroup fs. (We can give it that right, but don't always want to have to). At the parent, we don't want to setup_cgroups() before the child has set itself up. But we also don't want to wait until it has started running it's init, since that is racy. Therefore introduce a new sync point. The child will let the parent know when it is ready to be confined, and wait for the parent to respond that it has done so. Then the child will finish constraining itself with LSM and seccomp and execute init. Signed-off-by:
-
Serge Hallyn authored
Always unblock parent when child setup fails, rather than just exiting. Also remove a duplicate call to setup_cgroup(). We'll want it close to there for userns, but not right there - that's too late, and could happen after container init has done something bad without cgroup restrictions. Signed-off-by:
-
Christian Seiler authored
Make sure that when configuring containers that have interfaces containing multiple IP addresses they are added in the order of the configuration file (i.e. the first being the primary one) and not the reverse order. Signed-off-by:
Christian Seiler <christian@iwakd.de> Acked-by:
-
- 14 Jan, 2013 2 commits
-
-
Michael H. Warfield authored
Ok... Here's the patch again. Since Serge is removing the loglevel structure member, this patch no longer references that element. From the original description: 1) Removes run_makedev() and the call to it from conf.c per discussion. 2) Adds an lxc.hook.autodev hook. Note: This hook is very close (one routine level abstracted) from where the run_makedev was called. Anyone really rrreeeaaalllyyy needing MAKEDEV can add it in with a small shim script to do whatever they want under whatever distro they're using, so no functionality is lost there. 3) Added a number of environment variables for all the hook scripts to reference to assist in execution. Things like LXC_ROOTFS_MOUNT could be very useful but others were added as well. Room for more if anyone has an itch. All in one spot in lxc_start.c. 4) clearenv and putenv( "container=lxc" ) calls were moved to just after the "start" hook in the container just prior to actually firing up the container so we could use environment variables prior to that and have them flushed them before firing up init. Nice side effect is that you can define environment variables and then call lxc-start and have them show up in those hooks scripts. 5) I actually DID update the man page for lxc.conf! I guess I lied when I said I wouldn't get that done. [... and ...] I added the rcfile to the lxc_conf structure as suggested and moved the setenv bundle from lxc-start.c over to start.c just prior to calling run_lxc_hooks for the pre-start hook. Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by:
-
Serge Hallyn authored
The options are still supported in the lxc configuration file. However they are stored only in local variables in src/lxc/log.c, which can be read using two new functions: int lxc_log_get_level(void); const char *lxc_log_get_file(void); Changelog: jan 14: have lxc_log_init use lxc_log_set_file(), have lxc_log_set_file() take a const char *, and have it keep its own strdup'd copy of the filename. Signed-off-by:
-
- 13 Jan, 2013 1 commit
-
-
Stéphane Graber authored
In a previous change I added an ifdef for HAVE_SYS_TIMERFD_h rather than HAVE_SYS_TIMERFD_H, leading to a missing include of sys/timerfd.h on platforms that support it and ultimately to a build failure. Signed-off-by:
-
- 11 Jan, 2013 7 commits
-
-
Stéphane Graber authored
The previous implementation of the openpty check was always returning 'no' as openpty is typically defined in util. Signed-off-by: -
Stéphane Graber authored
This adds a local implementation of the bits we need form timerfd.h and utmpx.h so that the LXC utmp watch can be used with libc that don't implement the same functions as eglibc. Signed-off-by:
-
Stéphane Graber authored
This avoids conflict with the system header utmp.h. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Dwight Engen authored
The Python.h header varies in location by distribution, so instead use pkg-config to ensure the python3 devel package is installed. Tested with Ubuntu 12.04 and Fedora 17. Fixes --enable-python on Fedora 17. Signed-off-by:
-
Alexander Vladimirov authored
This option allows user to control installation repository and options using alternative pacman configuration file. Also remove unnecessary sed invocation during container configuration. Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
-
- 10 Jan, 2013 2 commits
-
-
Stéphane Graber authored
Following a comment on the mailing-list, I made utmp.h return -1 when it's disabled, the problem with that is that it prevents the container from starting completely, which isn't quite what I wanted. This change makes the function succeed, the container will therefore start but without utmp handler. Signed-off-by:
-
Stéphane Graber authored
PR_CAPBSET_READ isn't defined in bionic, so define it if it's not. Signed-off-by:
-
- 09 Jan, 2013 15 commits
-
-
Dwight Engen authored
OL6 uses upstart init and needs a handler for the SIGPWR that lxc-shutdown sends it so that a container can shut down cleanly. Signed-off-by:
-
Dwight Engen authored
processing of -w or -r shifts an argument that isn't there, messing up other argument processing Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
There's no good reason to call setup_mount_entries if we don't have any lxc.mount.entry. This also avoids an issue on bionic where the tmpfile() call in setup_mount_entries requires the presence of /tmp which isn't the case by default. Signed-off-by:
-
Stéphane Graber authored
-lpthread doesn't exist and isn't necessary on bionic. Signed-off-by:
-
Stéphane Graber authored
Bionic and maybe some other libc implementations lack the _r nss functions. This replaces our current getpwnam_r and getpwuid_r calls by getpwnam and getpwuid. Signed-off-by:
-
Stéphane Graber authored
__S_ISTYPE doesn't exist in all C libraries, so define it if it's missing. Additionaly, replace one occurence where it wasn't actually needed. Signed-off-by:
-
Stéphane Graber authored
Bionic (at least) is missing some of the usual mntent functions. This adds code defining those that we need when they're missing from the C library. Signed-off-by:
-
Stéphane Graber authored
At least bionic defines __errno, so this was causing a conflict in caps.h leading to build failure. Renaming to ___errno avoids that conflicting definition. Signed-off-by:
-
Stéphane Graber authored
strdupa appears to only exist in the standard glibc but at least not in bionic. Replace the two strdupa calls we have by a standard strdup. Signed-off-by:
-
Stéphane Graber authored
alphasort doesn't have the right signature on bionic which causes the build to fail. This implements a new bionic_alphasort function when building on bionic providing the right signature and a functional equivalent of glibc's alphasort. This signature problem with alphasort was fixed in upstream bionic but hasn't been released yet. This commit can therefore be reverted as soon as the following commit hits the Android NDK: 40e467ec668b59be25491bd44bf348a884d6a68d Signed-off-by:
-
Stéphane Graber authored
This adds code detecting the presence of utmpx.h and in its absence, turns the utmp related functions into no-ops. Signed-off-by:
-
Stéphane Graber authored
Some libc implementation (bionic) is lacking some of the syscall functions that are present in the glibc. For those, detect at build time the they are missing and implement a minimal syscall() wrapper that will essentially give the same result as the glibc function. Signed-off-by:
-
Stéphane Graber authored
Some platforms don't have personality.h in their C library, this change adds buildtime detection for the header and turns off the personality setting code in those cases. Signed-off-by:
-
Stéphane Graber authored
In the effort to make LXC work with non-standard Linux distros, this change allows for the user to build LXC without capability support through a new --disable-capabilities option to configure. This effectively will cause LXC not to link against libcap and will turn all the _cap_ functions into no-ops. Signed-off-by:
-
