- 05 Mar, 2012 1 commit
-
-
Serge Hallyn authored
when using ns cgroup, use /cgroup/<init-cgroup> rather than /cgroup/<init-cgroup>/lxc At least lxc-start, lxc-stop, lxc-cgroup, lxc-console and lxc-ls work with this patch. I've tested this in a 2.6.35 kernel with ns cgroup, and in a 3.2 kernel without ns cgroup. Note also that because of the check for container reboot support, if we're using the ns cgroup we now end up with a /cgroup/<container>/2 cgroup created, empty, by the clone(CLONE_NEWPID). I'm really not sure how much time we want to spend cleaning such things up since ns cgroup is deprecated in kernel. Signed-off-by:
Serge Hallyn <serge@hallyn.com> Signed-off-by:
Daniel Lezcano <dlezcano@fr.ibm.com>
-
- 01 Mar, 2012 2 commits
-
-
Daniel Lezcano authored
Signed-off-by: -
Daniel Lezcano authored
Signed-off-by:Daniel Lezcano <daniel.lezcano@free.fr>
-
- 26 Feb, 2012 31 commits
-
-
Daniel Lezcano authored
Reported-by : Denny Schierz <linuxmail@4lin.net> Signed-off-by: -
Serge Hallyn authored
Otherwise there is no clear indication to the user why the container startup failed. Signed-off-by:
-
Serge Hallyn authored
Add a macaddr if precisely one veth is specified but no hwaddr. Allow specifying ssh authkeys. In cloud template, copy locales by default and allow a tarball to be specified. Signed-off-by:
Ben Howard <ben.howard@canonical.com> Signed-off-by:
-
Serge Hallyn authored
1. --path is meant to be passed by lxc-create, but should not be passed in by users. Don't advertise it in --help. 2. --clean syntax ends up not making much sense. Get rid of it, and add '--flush-cache' option instead. Signed-off-by:
-
Serge Hallyn authored
The option is implied by '-d', because the admin won't see the warning message. Signed-off-by:
-
Serge Hallyn authored
Author: Stéphane Graber <stgraber@ubuntu.com> Use ubuntu/ubuntu instead of root/root by default. Stop removing tty[56].conf in Precise. Stop messing with dhclient.conf. Set devttydir on Precise to /dev/lxc to allow for clean upgrades. Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com> Signed-off-by:
-
Serge Hallyn authored
If set, then the console and ttys will be bind-mounted not over /dev/console, but /dev/<ttydir>/console and then symlinked from there to /dev/console. Signed-off-by:
-
Ubuntu authored
btrfs support from Scott Moser. Signed-off-by:
Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by:
-
Ubuntu authored
From Scott Moser. Signed-off-by:
-
Serge Hallyn authored
Thanks to dlezcano for spotting this. Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
This is a new template to create containers based on the ubuntu cloud images, rather than using debootstrap. Signed-off-by:
-
Serge Hallyn authored
lxcguest is no longer needed, as precise should boot in a container un-modified. Signed-off-by:
-
Serge Hallyn authored
netstat -x sometimes spits errors to stderr like: warning, got bogus unix line. Shut those up as they don't help lxc-ls. Signed-off-by:
-
Serge Hallyn authored
In order for reboot(LINUX_REBOOT_CMD_CADON) to detect whether container reboot is supported, it must be done in a non-init pid namespace. Fix that. Signed-off-by:
-
Serge Hallyn authored
The 'lxc-init' (a lightweight init process used by lxc-execute in place of upstart etc) tries to mount /dev/shm during startup. If that fails (for instance /dev/shm does not exist) then it aborts execution and returns -1. This is unreasonable as very few applications actually need /dev/shm. Signed-off-by:
-
Serge Hallyn authored
Don't call it an error if a container exits without calling sys_reboot. Particularly since that will almost always be the case with lxc-execute. This fixes a regression introduced in commit "49296e2ebfe7c5f9d6ebafbb54f5c5e56a0cc085: support proper container reboot" Signed-off-by:
-
Serge Hallyn authored
Support building a container of a foreign architecture if qemu-user-static is installed. This is done by installing some packages of the host architecture in the container using multi-arch. Author: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
If a container has created its own cgroups, i.e. by running libvirtd, then if we don't delete all child cgroups, then the rmdir will fail. Signed-off-by:
-
Serge Hallyn authored
Use the correct path for the container's cgroup task file. Also exit out early and cleanly if the container is not running, and bind-mount /proc/$pid/net with '-n' to keep the entry out of mtab, else the mtab entry will never go away. Signed-off-by:
-
Serge Hallyn authored
This patch looks for Daniel's kernel patch allowing the lxc monitor to tell container reboot from shutdown based on the exit signal. If that patch is not there, utmp monitoring is used. Otherwise, it only looks for the signal. Note that the 'conf->need_utmp_watch' is technically not necessary, as there is no harm in watching the utmp file. Signed-off-by:
-
Serge Hallyn authored
when --lvname is given, use that for lvcreate instead of using lxc_name, which is wrong. Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
1. Some templates copy the cached pristine rootfs using 'cp a b' where b is $lxc_path/$name/rootfs. That doesn't do the right thing if rootfs already exists, as it will when it is an lvm or other mount. So switch to 'rsync a/ b/'. (cp can be made to work too of course). 2. Update lxc-create to support backing stores. For now only lvm is implemented. Signed-off-by:
-
Serge Hallyn authored
Don't delete a running container. If it's running, abort the delete unless a new '-f' (force) flag is given, in which case, stop it first. Handle the case where we can't find $rootfs in config Fix broken detection of lvm backing store Signed-off-by:
-
Serge Hallyn authored
With this patch, I can start a container 'o1' inside another container 'o1'. (Of course, the containers must be on a different subnet) Detail: 1. Create cgroups for containers under /lxc. 2. Support nested lxc: respect init's cgroup: Create cgroups under init's cgroup. So if we start a container c2 inside a container 'c1', we'll use /sys/fs/cgroup/freezer/lxc/c1/lxc/c2 instead of /sys/fs/cgroup/freezer/c2. This allows a container c1 to be created inside container c1 It also allow a container's limits to be enforced on all a container's children (which a MAC policy could already enforce, in which case current lxc code would be unable to nest altogether). 3. Finally, if a container's cgroup already exists, rename it rather than failing to start the container. Try to WARN the user so they might go clean the old cgroup up. Whereas without this patch, container o1's cgroup would be /sys/fs/cgroup/<subsys>/o1, it now becomes /sys/fs/cgroup/<subsys>/<initcgroup>/lxc/o1 so if init is in cgroup '/' then o1's freezer cgroup would be: /sys/fs/cgroup/freezer/lxc/o1 Changelog: . make lxc-ps work with separate mtab. If cgroups were mounted with -n, and mtab is not linked to /proc/self/mounts, then 'mount -t cgroup' won't show these mounts. So make lxc-ps not use it, but rather use /proc/self/mounts directly. . lxc-ls in the past assumed that a container's cgroup was just '/<name>'. Now it is '/<host-init-cgroup>/lxc/<name>'. Handle that. . first version of this patch was setting clone_children on <path-to-cpusets-cgroup>/<init-cgroup>/lxc, not the parent of that dir. That failed to initialize that cgroup, so tasks could not enter it. Signed-off-by:
-
Serge Hallyn authored
Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use -security and -updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an apt-get upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. Signed-off-by:
-
Serge Hallyn authored
Thanks for Scott Moser for these, which allows qemu to run inside a container. Signed-off-by:
-
Serge Hallyn authored
mac_admin stops the container from loading LSM policy. Neither selinux nor apparmor currently will do well with automatic namespacing of policy (though it's coming in apparmor, after which we can re-enable this). Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
- 25 Feb, 2012 1 commit
-
-
Kevin Cernekee authored
The issue is similar to what was fixed in commit e7eb632c for ARM: the "configure" script errors out because it is unable to set LINUX_SRCARCH. Fix is to add MIPS to the list. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
-
- 23 Feb, 2012 5 commits
-
-
Jon Nordby authored
## 0001-Replace-pkglib_PROGRAMS-with-pkglibexec_PROGRAMS.patch [diff] From 95c566740bba899acc7792c11fcdb3f4d32dcfc9 Mon Sep 17 00:00:00 2001 From: Jon Nordby <jononor@gmail.com> Date: Fri, 10 Feb 2012 11:38:35 +0100 Subject: [PATCH] Replace pkglib_PROGRAMS with pkglibexec_PROGRAMS Without this change, autogen.sh fails with automake 1.11.3 Signed-off-by: -
Christian Seiler authored
Signed-off-by: -
Christian Seiler authored
lxc-attach will now put the process that is attached to the container into the correct cgroups corresponding to the container, set the correct personality and drop the privileges. The information is extracted from entries in /proc of the init process of the container. Note that this relies on the (reasonable) assumption that the init process does not in fact drop additional capabilities from its bounding set. Additionally, 2 command line options are added to lxc-attach: One to prevent the capabilities from being dropped and the process from being put into the cgroup (-e, --elevated-privileges) and a second one to explicitly state the architecture which the process will see, (-a, --arch) which defaults to the container's current architecture. Signed-off-by: -
Christian Seiler authored
Since lxc-attach helper functions now have an own source file, lxc_attach is moved from namespace.c to attach.c and is renamed to lxc_attach_to_ns, because that better reflects what the function does (attaching to a container can also contain the setting of the process's personality, adding it to the corresponding cgroups and dropping specific capabilities). Signed-off-by: -
Christian Seiler authored
The following helper functions for lxc-attach are added to a new file attach.c: - lxc_proc_get_context_info: Get cgroup memberships, personality and capability bounding set from /proc for a given process. - lxc_proc_free_context_info: Free the data structure responsible - lxc_attach_proc_to_cgroups: Add the process specified by the pid parameter to the cgroups given by the ctx parameter. - lxc_attach_drop_privs: Drop capabilities to the capability mask given in the ctx parameter. Signed-off-by:
-
