- 15 Jan, 2014 6 commits
-
-
Stéphane Graber authored
Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
The path isn't relative to @LOCALSTATEDIR@ Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Qiang Huang authored
If we start container with rcfile(see comments in lxc_start.c), it is possible that we have no config file in /usr/local/var/lib/lxc. So when we try lxc_stop, lxc_container_new will not load any config so we'll get c->lxc_conf = NULL. In that case, we'll get Segmentation fault in lxcapi_shutdown, a simple check would fix this. Signed-off-by:
Qiang Huang <h.huangqiang@huawei.com> Acked-by:
-
- 14 Jan, 2014 20 commits
-
-
Stéphane Graber authored
Instead of always returning -1 and call SYSERROR when the child returns non-zero. Have userns_exec_1 always return the return value from the function it's calling and let the caller do the error handling (as is already done by its only caller). Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
It's been brought to my attention that the read-only mount of /proc/sys is causing problems to archlinux users, so instead just have LXC mount proc and sysfs normally (read-write). Reported-by:
John Lane <john@lane.uk.net> Signed-off-by:
-
John Lane authored
Signed-off-by:
-
John Lane authored
Signed-off-by:
-
John Lane authored
Signed-off-by:
-
John Lane authored
Signed-off-by:
-
Michael H. Warfield authored
This is a reissue of two previous patches along with some additional changes for hardening the root password process based on discussions on-list. -- This patch modifies the lxc-fedora and lxc-centos templates for 3 things. 1) Extensively modifies root password generation, storage, and management based on discussions on the devel list. Root passwords are hardened and have advanced configurability. A static password may be provided. A password based on a template may be generated, including ${RANDOM}. A password may be generated through mktmp using a template with X's. Root passwords default to expired, initially. Passwords may optionally be echoed to stdout at container creation. (no) Passwords may optionally be stored in ${rootfs_path}/tmp_root_pass. (yes) Users may be optionally forced to change the password at creation time. (no) Default is to generate a pattern based password and store, no force change. All of this may be overridden by environment variables through conditional assignment. 2) Random static hardware addresses are generated for all configured interfaces. 3) Add code to create sysv init style scripts to intercept shutdown and reboot to prevent init restart and hang for CentOS and legacy Fedora systems on shutdown, reboot, init 0, and init 6. This solves a variety of hang conditions but only affects newly created containers. Does not have any impact on systemd based containers. Signed-off-by:Michael H. Warfield <mhw@WittsEnd.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by: -
lxc@zitta.fr authored
Signed-off-by:
gza <lxc@zitta.fr> Acked-by:
-
Serge Hallyn authored
Pretty much the only case where we do NOT want to daemonize a container start is lxc-start. So make c->daemonize true by default, and have lxc-start set it to false. If there are existing API users who rely on daemonize by default, then they will be broken by this. It seems we should do this before beta1 if we're going to do it. Signed-off-by:
-
Chris Glass authored
This makes the ubuntu and ubuntu-cloud templates automatically aware of apt proxy settings when the LXC host has "squid-deb-proxy-client" installed. This makes installations *much* faster when a suitable squid-deb-proxy is found on the network (or installed on the host). Signed-off-by:
Chris Glass <tribaal@gmail.com> Acked-by:
-
Elan Ruusamäe authored
- [[ ]] -> [ ] - == -> = - source -> . - redirect of fd 200 is error in mksh, use fd 9 - &> /dev/null -> > /dev/null 2>&1 - useless function keyword - echo -e -> printf still left bash shebang which did not validate with checkbashism, mostly due 'type' being reported as bashism Signed-Off-By:
Elan Ruusamäe <glen@delfi.ee> Acked-by:
-
Åsmund Grammeltvedt authored
Signed-off-by:
Åsmund Grammeltvedt <asmundg@snap.tv> Acked-by:
-
Stéphane Graber authored
This adds a new --force-cache parameter which will force use of the cache even for expired images. An expired image is now only flushed from the cache once a new one is successfuly downloaded (to avoid destroying the local cache when the host doesn't have internet connectivity). The ID of the build in cache is also tracked so that we don't re-download something we already have (should only happen if we don't have a new build published by the time the previous one expires). Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Instead of hardcoding --exclude=./dev/*, use a new metadata file "excludes" which lists all the paths or patterns to exclude during extraction (one per line). Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
KATOH Yasufumi authored
* Update Japanese lxc.conf(5) for commit 508c263e * Remove duplicate line in English lxc.conf(5) Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Dwight Engen authored
- show full path to failed download location - change test to -f in case meta.tar.xz:templates has a blank line it won't attempt to sed a directory Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
- 13 Jan, 2014 14 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Some functions which wanted to know about cgroup paths were located in other files. Move them into cgroup.c, so that all knowledge of the cgroup backend can be colocated. Signed-off-by:
-
Luka Perkov authored
Signed-off-by:
Luka Perkov <luka.perkov@sartura.hr> Acked-by:
-
Luka Perkov authored
The removed chunk is already defined in utils.h which is included in modified files. Signed-off-by:
-
Dwight Engen authored
Introduced in commit df2d4205. Reported-by:
S.Çağlar Onur <caglar@10ur.org> Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
-
Serge Hallyn authored
By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each "x" will be replaced by a random value. If less significant bit of first byte is "templated", it will be set to 0. This change introduce also a common randinit() function that could be used to initialize random generator. Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Serge Hallyn authored
It simply creates a test user and tries to create and start a container as that user. Tries to lxc-attach to that container to test network connectivity. Signed-off-by:
-
Serge Hallyn authored
It's nice if we can do it, but not required. Exiting on this failure causes lxc-create started by root as a less-privileged userid to fail. Signed-off-by:
-
Dwight Engen authored
Since previously I had found a config item that wasn't being propagated by lxc-clone, I went through all the config items and made sure that: a) Each item is documented in lxc.conf b) Each item is written out by write_config The only one that isn't is lxc.include, which by its nature only pulls in other config item types. Signed-off-by:
-
Serge Hallyn authored
Currently when a container is shut down, lxc walks the set of all cgroup paths it created, in reverse order, and tries to remove them. This doesn't suffice if the container has also created new cgroups. It'd be impolite to recursively remove all the cgroup paths we created, since this can include '/lxc' and thereunder all other containers started since. This patch changes container shutdown to only delete the container's own path, but do so recursively. Note that if we fail during startup, the container won't have created any cgroup paths so it the old way works fine. Signed-off-by:
-
Stéphane Graber authored
This adds a new template called "download". It's a fairly simple template with a minimal set of dependency which will grab any pre-built image available on https://images.linuxcontainers.org Note that the serverside is still work in progress (missing SSL support). Access is done over https by default with a warning being emitted if fallback to http was required (may be needed for testing, when behind proxy and with private servers). All index files and tarballs are gpg-signed with the default pubkeyid contained in the template itself. The main benefit of this template is to be entirely distribution-agnostic, any template that can be integrated with the server build infrastructure will then work on any LXC machine when using the download template. This template is also compatible with user namespaces and will hopefully help widden the number of distros that may work in unprivileged LXC. This commit also bundles a small change to the template configs to have the ubuntu template (used by the download template) to work with unprivileged LXC. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
