Signed-off-by: Rabi Shanker Guha <guha.rabishankar@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

With the current old CentOS template, dnsmasq was not able to resolve
the hostname of an lxc container after it had been created. This minor
change rectifies that.
Signed-off-by: Kalman Olah <hello@kalmanolah.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Send container's hostname to dhcp server when getting ip address.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Michael Werner <xaseron@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

They don't work right now, so until we fix that, don't allow it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

/dev/shm must be turned from a directory into a symlink to /run/shm.
The templates do this only if they find -d $rootfs/run/shm.  Since /run
will be a tmpfs, checking for it in the rootfs is silly.  It also is
currently broken as ubuntu cloud images have an empty /run.

(this should fix https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1353734)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

v2: add get_config_item

clear_config_item is not supported, as it isn't for lxc.console, bc
you can do 'lxc.console.logfile =' to clear it.  Likewise save_config
is not needed because the config is now just written through the
unexpanded char*.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Originally, we only kept a struct lxc_conf representing the current
container configuration.  This was insufficient because lxc.include's
were expanded, so a clone or a snapshot would contain the expanded
include file contents, rather than the original "lxc.include".  If
the host's include files are updated, clones and snapshots would not
inherit those updates.

To address this, we originally added a lxc_unexp_conf, which mirrored
the lxc_conf, except that lxc.include was not expanded.

This has its own cshortcomings, however,  In particular, if a lxc.include
has a lxc.cgroup setting, and you use the api to say:

c.clear_config_item("lxc.cgroup")

this is not representable in the lxc_unexp_conf.  (The original problem,
which was pointed out to me by stgraber, was slightly different, but
unlike this problem it was not unsolvable).

This patch changes the unexpanded configuration  to be a textual
representation of the configuration.  This allows us *order* the
configuration commands, which is what was not possible using the
struct lxc_conf *lxc_unexp_conf.

The write_config() now becomes a simple fwrite.  However, lxc_clone
is slightly complicated in parts, the worst of which is the need to
rewrite the network configuration if we are changing the macaddrs.

With this patch, lxc-clone and clear_config_item do the right thing.
lxc-test-saveconfig and lxc-test-clonetest both pass.

There is room for improvement - multiple calls to

c.append_config_item("lxc.network.link", "lxcbr0")

will result in multiple such lines in the configuration file.  In that
particular case it is harmless.  There may be cases where it is not.

Overall, this should be a huge improvement in terms of correctness.

Changelog: Aug 1: updated to current lxc git head.  All lxc-test* and
   python api test passed.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Pull the #defines and struct definitions for btrfs into a separate
.h file to not clutter bdev.c

Implement btrfs recursive delete support

A non-root user isn't allow to do the ioctls needed for searching (as you can
verify with 'btrfs subvolume list').  So for an unprivileged user, if the
rootfs has subvolumes under it, deletion will fail.  Otherwise, it will
succeed.

Changelog: Aug 1:
  . Fix wrong objid passing when determining directory paths
  . In do_remove_btrfs_children, avoid dereferencing NULL dirid
  . Fix memleak in error case.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 719fae07Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 7c661726Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit c00f3f36Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 476d302cSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

On Ubuntu we need to set up the AppArmor profiles also under systemd.
Add a new helper "lxc-apparmor-load" and integrate it into lxc.service.
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

If /etc/rc.d/init.d/functions is not present or does not define an action()
function, provide a simple fallback using "echo".
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This is the equivalent of the upstart lxc-net.conf to set up the LXC bridge.

This also drops "lxc.service" from tarballs. It is built source which depends
on configure options, so the statically shipped file will not work on most
systems.

https://launchpad.net/bugs/1312532Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Don't install systemd unit files into $(prefix), they won't work there.
Instead, get them from systemd's pkg-config file.
Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Factor this out of the lxc-net.conf upstart job, so that it can be used by
init.d scripts and systemd units, too.

Part of https://launchpad.net/bugs/1312532Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

We only call it (so far) after doing a fork(), so this is fine.  If we
ever need such a thing from threaded context, we'll simply need to write
our own version for android.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This gives me:

ubuntu@c-t1:~$ lxc-create -t download -n u1
lxc_container: No mapping for container root
lxc_container: Error chowning /home/ubuntu/.local/share/lxc/u1/rootfs to container root
lxc_container: You must either run as root, or define uid mappings
lxc_container: To pass uid mappings to lxc-create, you could create
lxc_container: ~/.config/lxc/default.conf:
lxc_container: lxc.include = /etc/lxc/default.conf
lxc_container: lxc.id_map = u 0 100000 65536
lxc_container: lxc.id_map = g 0 100000 65536
lxc_container: Error creating backing store type (none) for u1
lxc_container: Error creating container u1

when I create a container without having an id mapping defined.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
policy is an unconfined_domain(), so it doesn't really enforce anything.
This change will provide a link in the documentation to an example
policy that does confine containers.

On more recent distributions with new enough policy, it is recommended
not to use this sample policy, but to use the types already available
on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:

process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This adds the few missing bits so that the new lxc.environment config
entry can be queried, cleared and saved as the others are.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

It's quite useful to be able to configure containers by specifying
environment variables, which init (or initscripts) can use to adjust the
container's operation.

This patch adds one new configuration parameter, `lxc.environment`, which
can be specified zero or more times to define env vars to set in the
container, like this:

    lxc.environment = APP_ENV=production
    lxc.environment = SYSLOG_SERVER=192.0.2.42
    lxc.environment = SOMETHING_FUNNY=platypus

Default operation is unchanged; if the user doesn't specify any
lxc.environment parameters, the container environment will be what it is
today ('container=lxc').
Signed-off-by: Matt Palmer <mpalmer@hezmatt.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This forces wget to retry if it gets a network error.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Introduce a new -F option (no-op for now) as an opposite of -d.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: Allow slave bind mounts

Without this, if the system uses shared subtrees by default (like systemd), you
get a large stream of

  lxc-start: Permission denied - Failed to make /<mountpoint> rslave
  lxc-start: Continuing...

with

  apparmor="DENIED" operation="mount" info="failed flags match" error=-13
  profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave"

and eventual failure plus a lot of leftover mounts in the host.

https://launchpad.net/bugs/1325468

Signed-off-by: Trần Ngọc Quân <vnwildman@gmail.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We detect whether ovs-vsctl is available.  If so, then we support
adding network interfaces to openvswitch bridges with it.

Note that with this patch, veths do not appear to be removed from the
openvswitch bridge.  This seems a bug in openvswitch, as the veths
in fact do disappear from the system.  If lxc is required to remove
the port from the bridge manually, that becomes more complicated
for unprivileged containers, as it would require a setuid-root
wrapper to be called at shutdown.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Rather than always using eth0.  Otherwise unpriv containers cannot have
multiple lxc.network.type = veth's without manually setting
lxc.network.name =.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stefano Ansaloni <ansalonistefano@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This patch adds SIGPWR support to lxc_init.
This helps to properly shutdown lxc_init based containers.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Also fix the comment in lxc-cirros template (which I overlooked last time).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

That mount hook predates the lxc.mount.auto = cgroup option.  So mention
that instead.

Perhaps we should simply drop the mountcgroup hook from the tree, but
I'm not doing that in this patch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>