- 04 Apr, 2014 14 commits
-
-
Leonid Isaev authored
Cleanups: 1. Do not modify container's /etc/hosts (archlinux uses /etc/nsswitch.conf) 2. Remove duplicate lines from config 3. Print a nicer final message 4. Get rid of some grep's Signed-off-by:
Leonid Isaev <lisaev@umail.iu.edu> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Leonid Isaev authored
Do not copy the pacman master key from the host, as this opens it to attacks; generate a new secret hostkey. Signed-off-by:
-
Leonid Isaev authored
Do not cherry-pick packages for the default install to avoid dependency issues. Instead, install the base group modulo blacklisted packages. Signed-off-by:
-
Robert Vogelgesang authored
Place log file into LOGPATH instead of LXCPATH (but still use the given lxcpath if the latter differs from LXCPATH). Signed-off-by:
Robert Vogelgesang <vogel@users.sourceforge.net> Acked-by:
-
Robert Vogelgesang authored
Fix parsing of /etc/lxc/default.conf, i. e. ignore comments, and don't require whitespace left and right of the equal sign. Make the early return actually work. Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Dwight Engen authored
When lxc-info's stdout is not line buffered (ie. "lxc-info -n foo |more") the first three lines will be duplicated. This is because c->get_ips() comes next and it forks and the child will exit() causing its fds to be closed which flushes out its (fork duplicated) stdio buffers. The lines are then duplicated when the parent actually gets around to flushing out its stdio. This causes problems for programs (such as the lxc-webpanel) which are popen()ing lxc-info. The fix here isn't necessarily the right one, but does show what the problem is. Seems like maybe we should fix this inside of get_ips(), for other API callers as well. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Signed-off-by:
-
Michael H. Warfield authored
Added lxc.arch to the resulting container configuration files to support i686 on x86_64 cross arch containers. Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by:
-
Dwight Engen authored
Reported-by:
Florian Klink <flokli@flokli.de> Signed-off-by:
-
Serge Hallyn authored
Allow writes to kernel.shm*, net.*, kernel/domainname and kernel/hostname, Also fix a bug in the lxc-generate-aa-rules.py script in a path which wasn't being exercised before, which returned a path element rather than its child. Changelog (v2): remove trailing / from block path Signed-off-by:
-
Guillaume ZITTA authored
Signed-off-by:
Guillaume ZITTA <lxc@zitta.fr> Acked-by:
-
Guillaume ZITTA authored
fix lack of any generated locale Signed-off-by:
-
Stéphane Graber authored
This should help it run better on slow test environment like the LXC CI armhf builder. - Wait longer for the container to start - Wait longer for the container to shutdown - On failure to shutdown, kill the container - Always destroy the container if it's around Signed-off-by:
-
- 01 Apr, 2014 11 commits
-
-
Guillaume ZITTA authored
fix lxc-console not working by default Signed-off-by:
-
Serge Hallyn authored
This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by:
-
Serge Hallyn authored
Leave the line to do it (commented out) as some users may not be using cgmanager, and may in fact still need those mounts. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
oracle-template: Split patching rootfs vs one time setup into separate shell functions so the template can be run with --patch. oracle-template: Update to install the yum plugin and itself (as lxc-patch) into a container. The plugin just runs lxc-patch --patch <path> so it is fairly generic, but in this case it is running a copy of the template inside the container. Signed-off-by:
-
Bogdan Purcareata authored
If a default mode is not set, the container requires an explicit mode specified in the config file, otherwise creating the container fails. Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Signed-off-by:
-
Serge Hallyn authored
Using the multiarch dir causes problems when running lxc-execute on amd64 with an i386 container. /sbin/lxc-init is a more confusing name and will show up in 'lxc<tab>'. /sbin/init.lxc should be quite obvious as an init for lxc. Signed-off-by:
-
Florian Klink authored
this expands c597baa8 and 2c6f3fc9. Also move the block using detect_ramfs_rootfs() from setup_rootfs() to lxc_setup() Signed-off-by:
-
- 27 Mar, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 26 Mar, 2014 1 commit
-
-
Bogdan Purcareata authored
Add LXC_NET_NONE to known lxc_network_types, so parsing a config file with lxc.network.type = none does not result in failure (e.g. doc/examples/lxc-no-netns.conf). Options have also been reordered to match the enum in conf.h. Signed-off-by:
-
- 25 Mar, 2014 1 commit
-
-
Serge Hallyn authored
If we start a lxc_wait on a container while it is exiting, it is possible that we open the command socket, then the command socket monitor closes all its mainloop sockets and exit, then we send our credentials. Then we get killed by SIGPIPE. Handle that case, recognizing that if we get sigpipe then the container is (now) stopped. Signed-off-by:
-
- 24 Mar, 2014 4 commits
-
-
Stéphane Graber authored
This updates all configs to include the exact same set of 7 bind-mounted devices: - console - full - null - random - tty - urandom - zero Signed-off-by:
-
Stéphane Graber authored
Don't bother access information that the user didn't request. Signed-off-by:
-
Stéphane Graber authored
This resolves the memory math when memsw is enabled and fixes reporting of nested containers memory when using cgmanager. Signed-off-by:
-
Bogdan Purcareata authored
Signed-off-by:
-
- 23 Mar, 2014 3 commits
-
-
Michael H. Warfield authored
Added code to catch SIGPWR for Upstart in Fedora and CentOS containers as well as for Systemd in Fedora containers. Signed-off-by:
-
Michael H. Warfield authored
If the container does not already contain an /etc/localtime timezone definition, then copy a definition from the host to the container. This is often a symlink to an appropriate system timezone definition files and is presumed to exist in Signed-off-by:
-
Michael H. Warfield authored
Corner case existed when building a cross-arch container (i686 on x86_64) on a cross-distro host (Fedora container on Ubuntu host). Fixed the arch "fixup" code to do the right thing when running from the bootstrap. Signed-off-by:
-
- 21 Mar, 2014 5 commits
-
-
Dwight Engen authored
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init in the container were those from /dev/tty or lxc.console (if given), which wasn't right. Inside the container it should only have access to the pty that lxc creates representing the console. This was noticed because busybox's init was resetting the termio on its stdin which was effecting the actual users terminal instead of the pty. This meant it was setting icanon so were were not passing keystrokes immediately to the pty, and hence command line history/editing wasn't working. Fix by dup'ing the console pty to stdin,stdout,stderr just before exec()ing /sbin/init. Fix fd leak in error handling that I noticed while going through this code. Also tested with lxc.console = none, lxc.console = /dev/tty7 and no lxc.console specified. V2: The first version was getting EBADF sometimes on dup2() because lxc_console_set_stdfds() was being called after lxc_check_inherited() had already closed the fds for the pty. Fix by calling lxc_check_inherited() as late as possible which also extends coverage of open fd checked code. V3: Don't move lxc_check_inherited() since it needs to be called while the tmp proc mount is still mounted. Move call to lxc_console_set_stdfds() just before it. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit a526a632Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Serge Hallyn authored
It looks like either libdbus or libnih is showing some corruption with threaded access to the cgmanager-client library. Until we can straighten that out, mutex access to the cgmanager. The worst part of this is having to take and drop the mutex at every fork. This also means that we can't keep a connection open for the duration of container startup, since that would deadlock forks. If we were going to keep it like this, then we could get rid of some code in start.c. However we take a performance hit here which I really hope we can rectify soon. The other approach we could take would be to keep a global count of references to cgroup_manager. Mutex the open, close, and each use of the cgroup_manager proxy (and the inc/dec of the refcount). This way we could in fact keep the connection open for the duration of container start. The atfork handler child_fn would have to close the connection if open. Signed-off-by:
-
Holger Amann authored
/etc/mtab doesn’t exist after bootstrapping a debian container, and will be created as regular file after first start. That leads to at least two errors: - output of `mount` is wrong and get messed up the more often you start/stop the container - /dev/pts/ptmx has wrong permissions Signed-off-by:
Holger Amann <holger@sauspiel.de> Acked-by:
-
Serge Hallyn authored
Signed-off-by:
-
