- 08 Jan, 2010 9 commits
-
-
Daniel Lezcano authored
Removed extra </command>. Signed-off-by:Daniel Lezcano <dlezcano@fr.ibm.com>
-
Michael Holzt authored
When the configuration path does not exist, lxc_create misleadingly tells that it was not set. Signed-off-by:
Michael Holzt <lxc@my.fqdn.org> Signed-off-by:
-
Michael Holzt authored
lxc.pc and scripts/lxc-busybox are missing from .gitignore Signed-off-by:
-
Michael Holzt authored
Rename doc/examples/lxc-complex-config.in to lxc-complex.conf.in as all other examples in this directory have a .conf ending as well. Signed-off-by:
-
Daniel Lezcano authored
Remove dead code. Signed-off-by: -
Michael Holtz authored
lxc currently does a chroot into the target rootfs. chroot is insecure and can easily be broken, as demonstrated here: | root@synergy:~# touch /this_is_the_realrootfs_ouch | # touch /container/webhost/this_is_the_container | # lxc-start -n webhost /bin/sh | # ls this* | this_is_the_container | # ./breakchroot | # ls this* | this_is_the_realrootfs_ouch code to break chroot taken from http://www.bpfh.net/simes/computing/chroot-break.html Now this can be fixed. As our container has his own mount namespace, we can easily pivot_root into the rootfs and then unmount all old mounts. The patch attached add a new config keyword which contains the path to a temporary mount for the old rootfs (inside the container). This stops the chroot break method shown before. Example: | root@synergy:~# grep pivotdir /var/lib/lxc/webhost/config | lxc.pivotdir = /oldrootfs | root@synergy:~# ls -lad /container/webhost/oldrootfs | drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs | root@synergy:~# lxc-start -n webhost /bin/sh | # mount -t proc proc /proc | # cat /proc/mounts | rootfs / rootfs rw 0 0 | /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0 | devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 | proc /proc proc rw,relatime 0 0 | # ls this* | this_is_the_container | # ./breakchroot | # ls this* | this_is_the_container Signed-off-by:
-
Michel Normand authored
conf object is on stack and is used in forked process. Signed-off-by:
Michel Normand <normand@fr.ibm.com> Signed-off-by:
-
Michel Normand authored
this is a side effect of previous patch I made on this same function in commit a6ddef61Signed-off-by:
-
Michel Normand authored
few added lines to document the new lxc-create -t option Signed-off-by:
-
- 05 Jan, 2010 1 commit
-
-
Paul Fee authored
Fix and clarify some parts of the lxc.conf man page. Signed-off-by:
-
- 28 Dec, 2009 1 commit
-
-
Daniel Lezcano authored
The future kernel 2.6.33 will incorporate the macvlan bridge mode where all the macvlan will be able to communicate if they are using the same physical interface. This is an interesting feature to have containers to communicate together. If we are outside of the container, we have to setup a macvlan on the same physical interface than the containers and use it to communicate with them. Signed-off-by:
-
- 27 Dec, 2009 4 commits
-
-
Daniel Lezcano authored
This script builds a busybox rootfs and provides the associated configuration to run the busybox. Signed-off-by: -
Daniel Lezcano authored
Cleanup the script, simplify it and pass the arguments to this script to be callable by lxc-create template logic. Signed-off-by: -
Daniel Lezcano authored
The lxc-create command is now able to call a sub script to install a mini template. Right now, debian is supported. The rootfs is stored automatically in <lxcpath>/<name>/rootfs So the rootfs is a subdirectory of the container configuration directory. When lxc-destroy is called, the rootfs is deleted with the container configuration. Signed-off-by: -
Daniel Lezcano authored
The lxc-debian is epurated and consolidated with a better error handling. This script is no longer interactive but it installs in a specified place the debian rootfs. This script is not supposed to be called directly so it will fall in libexec path very soon. This script is called by lxc-create as a template with the right option and the right place. The debian network configuration is by dhcp. Signed-off-by:
-
- 18 Dec, 2009 1 commit
-
-
Daniel Lezcano authored
Added missing carriage-return when adding a new entry. Signed-off-by:
-
- 15 Dec, 2009 3 commits
-
-
Jamal Hadi Salim authored
Some devices like veth or vlans have a bit of extra details that are specific to them. Example veth.pair and vlan.vlanid. Separate them from the common so we can update cleanly in the future. Signed-off-by:
Jamal Hadi Salim <hadi@cyberus.ca> Acked-by:
Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by:
-
Jamal Hadi Salim authored
This adds ability to migrate vlan interfaces into namespaces by specifying them in a config Signed-off-by:
-
Jamal Hadi Salim authored
Add utility functions to parse a u16 and put a u16 on a netlink message Signed-off-by:
-
- 26 Nov, 2009 9 commits
-
-
Daniel Lezcano authored
lxc_get_cgroup_path is used in the file but the header defining the function is missing. Signed-off-by: -
Andrian Nord authored
If you're running (by mistake or typo) (via lxc-start) container that does not exists it will run with lxc.rootfs=/, meaning that /sbin/init will restart initialization procedure, efficiently messing host's system, that may lead to unpredictable results or even destroy (make inaccessible) host system (by reseting network configuration or something like that). (Actually, it _did_ destroy system of everyone who tested this). Actually, I finally lost any meaning of having such a feature for full-system containers. You may not use hosts's FS - it's described at above. You may not use some temporary directory - that's nonsense. This patch forbinds starting container via lxc-start without rcfile and custom start program, but probably it fixes only small part of problem. I really don't see much sense in such a feature without ability of overriding 'default' setting with command line switches. Anyway, default behaviour should be as save as possible. Signed-off-by:
Andrian Nord <NightNord@gmail.com> Signed-off-by:
-
Daniel Lezcano authored
The rcfile is parsed in the lxc_start function. This is not the place to do that. Let's the caller to do that. In the meantime, we have the lxc_conf structure filled right before calling the lxc_start function so we can do some sanity check on the configuration to not break the system when we launch the container. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
-
Jamal Hadi Salim authored
Remove unnecessary reset of msg.msg_controllen Signed-off-by:
-
Sven Wegener authored
commit 985d15b1 "fix fdleak and errors in lxc_create_tty()" created a zero-sized malloc(), causing memory corruption. use config->tty like all the other code does. Signed-off-by:
Sven Wegener <sven.wegener@stealer.net> Signed-off-by:
-
Michael Tokarev authored
the same cleanup as in instanciate_macvlan(). Just makes code shorter and less "jumpy" (as with goto back) Signed-off-by:
Michael Tokarev <mjt@tls.msk.ru> Signed-off-by:
-
Michael Tokarev authored
Currently we allocate veth device with random name on host side, so that things like firewall rules or accounting does not work at all. Fix this by recognizing yet anothe keyword to specify the host-side device name: lxc.network.pair, and use it instead of random name if specified. Signed-off-by:
-
Michel Normand authored
The purpose of this patch is to limit the search of pids to those in containers by looking at first in the /cgroup/<name>/tasks when --lxc or --names options are specified by user. The idea is to speedup the output when only few container names are specified while the machine is running with many processes. Signed-off-by:
Michel Normand <michel.mno@free.fr> Signed-off-by:
-
Michel Normand authored
With previous changes that allow to start a container without the need to create it; the lxc-ls was only reporting the created containers. With this patch, the lxc-ls is now reporting created and active containers. Signed-off-by:
-
- 24 Nov, 2009 3 commits
-
-
Michel Normand authored
Fix bad name parameter in the lxc-ps man page. Signed-off-by:
-
Michel Normand authored
this state is reported when the lxc-freeze command was issued on the container. Signed-off-by:
-
Michael Tokarev authored
if, for some reason, openpty() fails, lxc_create_tty() will leak all previous ptys and leave the config structure in a inconsistent state (wrt the number of ptys actually opened) Fix that by explicitly closing all previously opened ptys in case of failure and by setting number of actually opened ttys after actual open Signed-off-by:
-
- 20 Nov, 2009 7 commits
-
-
Daniel Lezcano authored
Signed-off-by: -
Daniel Lezcano authored
The configuration examples have been moved to doc/lxc/examples. Signed-off-by: -
Michael Tokarev authored
Ensure that lxc.netdev.link is specified for macvlan interfaces, since it's required. While at it, simplify logic in instanciate_macvlan(): remove unnecessary-complicating goto statements (we only need to perform a cleanup in one place) Signed-off-by:
-
Michael Tokarev authored
Before, a veth device pair required a link which was treated as a bridge device. Code crashed if there was no lxc.network.link specified. Fix that by allowing lxc.network.link to be unset Signed-off-by:
-
Daniel Lezcano authored
The container will be a directory where the user can store everything, so we create one directory and store a configuration file inside. Signed-off-by: -
Daniel Lezcano authored
With the previous modifications, a temporary directory is created to mount the rootfs in order to have the system container to remount itself the '/' directory. But in case of daemonize, we change the directory, so when the rootfs is specified with a relative path, we can not access it. Don't chdir, as that will be done automatically later in the chroot setup. Signed-off-by: -
Daniel Lezcano authored
Update the man pages regarding the different modifications. Signed-off-by:
-
- 19 Nov, 2009 2 commits
-
-
Michel Normand authored
Change Checkpoint / Restart API Signed-off-by:
-
Michel Normand authored
Remove checkpoint / restart dead code. Signed-off-by:
-
