- 18 Feb, 2013 1 commit
-
-
Daniel Lezcano authored
Signed-off-by:Daniel Lezcano <daniel.lezcano@free.fr>
-
- 13 Feb, 2013 1 commit
-
-
git://github.com/lxc/lxcDaniel Lezcano authored
Signed-off-by:
-
- 11 Feb, 2013 6 commits
-
-
Dwight Engen authored
Add [gs]et_config_path from API to Lua binding. Add additional optional parameter to container_new(). Add tests for these new Lua API bindings. Commit 2a59a681 changed the meaning of lxc_path_get() in the binding, causing lua script breakage. Reinstate original behavior of lxc_path_get() and rename it to lxc_default_config_path_get() to make its intent clearer. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
The previous lxcpath patches added support for a custom LXCPATH set through a system-wide configuration file. This was also exposed through the C api, so that a custom lxcpath could be set at the container object instanciation time, or set at runtime. However the command sock filename was always located under the global lxcpath, which could be confusing, and would be a problem for users with insufficient perms to the system-wide lxc path (i.e. if setting lxcpath to $HOME/lxcbase). This patch changes that by passing the lxcpath to all callers of lxc_command(). It remains to add an lxcpath command line argument to most of the command line tools (which are not using the C api) - lxc-start, lxc-info, lxc-stop, etc. At this point it becomes tempting to do something like c = lxc.Container("r1", "/var/lib/lxc") c2 = lxc.Container("r1", "$HOME/lxcbase") However, that's problematic - those two will use the same directory names for cgroup directories. What would be the best way to handle this? One way (which I kind of like) is to give up on naming the cgroups after the container. use mkstemp for the cgroup name, let lxc keep track of the cgroup name based on the command socket, and make users use lxc-cgroup to get and change settings. Other ideas? Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
-
Stéphane Graber authored
Add the two new calls to the API and add the new container_path parameter to the constructor (optional). This also extends list_containers to support the config_path parameter. At this point none of the actual tools are changed to make use of those as we'll probably want to make sure all the tools get the extra option at once. Signed-off-by:
-
Serge Hallyn authored
1. When calling c->set_config_path(), update configfile. I.e. if we are setting the config_path to /var/lib/lxc, then the configfile should be changed to /var/lib/lxc/$container/config 2. Add an optional configpath argument to lxc_container_new. If NULL, then the default will be used (as before). If set, then the passed-in path will be used. This way you can do c1 = lxc.Container("r1", "/var/lib/lxc"); c2 = lxc.Container("r2", "/home/user/lxcbase"); (Note I did *not* implement the python or lua binding to pass that argument along) Signed-off-by: -
Stéphane Graber authored
This simply adds an extra blank line between the original lxc config and the template generated options. In typical use cases, this means that we'll now get the header, then a blank line, then default.conf content, then a blank line and finally the template generated config. The wording of the header is also changed slightly so that it fits in the usual 80 columns. Signed-off-by:
-
Stéphane Graber authored
This introduces manpages for: - lxc-checkconfig - lxc-device - lxc-info - lxc-netstat - lxc-shutdown (wasn't in Makefile) - lxc-start-ephemeral - lxc-version This commit also sorts configure.ac and Makefile.am. Signed-off-by:
-
- 08 Feb, 2013 6 commits
-
-
Serge Hallyn authored
Also fix some tabs-as-spaces in lxc_unshare.c itself. lxc-unshare: run usage() on '-h' Signed-off-by:
-
Serge Hallyn authored
And doing so pointed out a bug in lxc-clone itself - it claims default fssize is 2G. It's not. Signed-off-by:
-
Stéphane Graber authored
lxc.functions.in is meant to be sourced, not to be called as a script. So as it's not executable and not meant to be, it shouldn't have a /bin/sh shebang. This fixes an error reported by lintian. Signed-off-by:
-
Stéphane Graber authored
As discussed earlier this week, lxc-setcap and lxc-setuid have been in pretty bad shape lately. Most if not all distros recommend against using them or don't ship them at all. With the ongoing work to get user namespaces working in upstream LXC, we think it's best to drop those two now as we prepare to land proper setuid helpers to deal with user namespaces. Signed-off-by:
-
Alexander Vladimirov authored
Add mknod to lxc.cap.drop since udev is conditioned on CAP_MKNOD capability. Update base package list. Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
-
Serge Hallyn authored
Here is a patch to introduce a configurable system-wide lxcpath. It seems to work with lxc-create, lxc-start, and basic python3 lxc usage through the api. For shell functions, a new /usr/share/lxc/lxc.functions is introduced which sets some of the basic global variables, including evaluating the right place for lxc_path. I have not converted any of the other python code, as I was not sure where we should keep the common functions (i.e. for now just default_lxc_path()). configure.ac: add an option for setting the global config file name. utils: add a default_lxc_path() function Use default_lxc_path in .c files define get_lxc_path() and set_lxc_path() in C api use get_lxc_path() in lua api create sh helper for getting default path from config file fix up scripts to use lxc.functions Changelog: feb6: fix lxc_path in lxc.functions utils.c: as Dwight pointed out, don't close a NULL fin. utils.c: fix the parsing of lxcpath line lxc-start: print which rcfile we are using commands.c: As Dwight alluded to, the sockname handling was just ridiculous. Clean that up. use Dwight's recommendation for lxc.functions path: $datadir/lxc make lxccontainer->get_config_path() return const char * Per Dwight's suggestion, much nicer than returning strdup. feb6 (v2): lxccontainer: set c->config_path before using it. convert legacy lxc-ls Signed-off-by:
-
- 06 Feb, 2013 2 commits
-
-
Dwight Engen authored
Reported-by:
Alvaro Miranda <mirandaa@redrock.net.nz> Signed-off-by:
-
Dwight Engen authored
This will soon be followed by the introduction of a "real" system wide /etc/lxc/lxc.conf storing global LXC settings. Signed-off-by:
-
- 28 Jan, 2013 5 commits
-
-
Tomohiro Matsuyama authored
Signed-off-by:
Tomohiro Matsuyama <tomo@cx4a.org> Acked-by:
-
Dwight Engen authored
The lua binding is based closely on the python binding. Also included are a test program for excercising the binding, and an lxc-top utility for showing statistics on running containers. Signed-off-by:
-
Serge Hallyn authored
If 'optional' is in the mount options, then avoid failure in mount(). Experiments suggest we could just do this checking data at mount_entry(), but that feels less proper than using hasmntopt() against the mntent. Signed-off-by:
-
Serge Hallyn authored
Until now, if a lxc-* (i.e. lxc-start) command did not specify a logfile (with -o logfile), the default was effectively 'none'. With this patch, the default becomes a per-container log file. If a container config file specifies 'lxc.logfile', that will override the default. If a '-o logfile' argument is specifed at lxc-start, then that will override both the default and the configuration file entry. Finally, '-o none' can be used to avoid having a logfile at all (in other words, the previous default), and that will override a lxc.logfile entry in the container configuration file. If the user does not have rights to open the default, then 'none' will be used. However, in that case an error will show up on console. (We can work on removing that if it annoys people, but I think it is helpful, at least while we're still ironing this set out) If the user or container configuration file specified a logfile, and the user does not have rights to open the default, then the action will fail. One slight "mis-behavior" which I have not fixed (and may not fix) is that if a lxc.logfile is specified, the default logfile will still get created before we read the configuration file to find out there is a lxc.logfile entry. changelog: Jan 24: add --enable-configpath-log configure option When we log to /var/lib/lxc/$container/$container.log, several things need to be done differently than when we log into /var/log/lxc (for instance). So give it a configure option so we know what to do When the user specifies a logfile, we bail if we can't open it. But when opening the default logfile, the user may not have rights to open it, so in that case ignore it and continue as if using 'none'. When using /var/lib/lxc/$c/$c.log, we use $LOGPATH/$name/$name.log. Otherwise, we use $LOGPATH/$name.log. When using /var/lib/lxc/$c/$c.log, don't try to create the log path /var/lib/lxc/$c. It can only not exist if the container doesn't exist. We don't want to create the directory in that case. When using /var/log/lxc, then we do want to create the path if it does not exist. Signed-off-by:
-
Dwight Engen authored
rpm on ubuntu puts the rpm db under $HOME, which wont be /root if sudo is used Signed-off-by:
-
- 23 Jan, 2013 3 commits
-
-
Dwight Engen authored
Signed-off-by:
-
Stéphane Graber authored
The logfile changes broke lxc-info and possibly more command line tools. Revert for now until we get those issues addressed. This reverts commit 74476cf1.
-
Stéphane Graber authored
The logfile changes broke lxc-info and possibly more command line tools. Revert for now until we get those issues addressed. This reverts commit b8e0503a.
-
- 22 Jan, 2013 4 commits
-
-
Serge Hallyn authored
log_open: make sure the parent directory for logfiles Signed-off-by:
-
Serge Hallyn authored
[ Thanks to Stéphane and Dwight for the feedback on the previous patch ] Until now, if a lxc-* (i.e. lxc-start) command did not specify a logfile (with -o logfile), the default was effectively 'none'. With this patch, the default becomes $LOGPATH/<container>/<container>.log. LOGPATH is specified at configure time with '--with-log-path='. If unspecified, it is $LXCPATH, so that logs for container r2 will show up at /var/lib/lxc/r2/r2/log. LOGPATH must exist, while lxc will make sure to create $LOGPATH/<name>. As another example, Ubuntu will likely specify --with-log-path=/var/log/lxc (and place /var/log/lxc into debian/lxc.dirs), placing r2's logs in /var/log/lxc/r2/r2.log. If a container config file specifies 'lxc.logfile', that will override the default. If a '-o logfile' argument is specifed at lxc-start, then that will override both the default and the configuration file entry. Finally, '-o none' can be used to avoid having a logfile at all (in other words, the previous default), and that will override a lxc.logfile entry in the container configuration file. Signed-off-by:
-
Matthias Brugger authored
In lxc-setcap the path to lxc-init wasn't set right, so that a call to the script failed with an error. This patch sets the path to the right directory. Signed-off-by:
Matthias Brugger <matthias.bgg@gmail.com> Acked-by:
-
Dwight Engen authored
This is for consistency with the rest of lxc, and also because type checks for shell builtins, a behavior that we do not want in these cases. Ensure stderr for which is redirected to /dev/null also. Signed-off-by:
-
- 21 Jan, 2013 1 commit
-
-
Serge Hallyn authored
Only the container parent needs to keep that fd open. Close it as soon as the container's first task is spawned. Else it can show up in /proc/$$/fd in the container. Signed-off-by:
-
- 15 Jan, 2013 7 commits
-
-
Stéphane Graber authored
In eglibc st_uid and st_gid are defined as unsigned integers, in bionic those are defined as unsigned long (which is inconsistent with the kernel's defintion that's uint_32). To workaround this problem, simply cast those two to int. Signed-off-by:
-
Stéphane Graber authored
A quick scan through the code showed that lxc-oracle.in is the only file in the branch containing trailing whitespaces, this clears them. Signed-off-by: -
Purcareata Bogdan-B43198 authored
Dropbear implements lightweight SSH2 server and client functionality and is likely to be included in embedded Linux distros. Signed-off-by:
Purcareata Bogdan <B43198@freescale.com> Acked-by:
-
Serge Hallyn authored
The 3.8 kernel now supporst uid mappings, so I believe it's appropriate to proceed with this patchset. The container config supports new entries of the form: lxc.id_map = U 100000 0 10000 lxc.id_map = G 100000 0 10000 meaning map 'virtual' uids (in the container) 0-10000 to uids 100000-110000 on the host, and same for gids. So long as there are mappings specified in the container config, then CONFIG_NEWUSER will be used when the container is cloned. This means that container setup is no longer done with root privilege on the host, only root privilege in the container. Therefore cgroup setup is moved from the init task to the monitor task. To use this patchset, you currently need to either use the raring kernel at ppa:serge-hallyn/usern-natty, or build your own kernel from either git://kernel.ubuntu.com/serge/quantal-userns.git. (Alternatively you can use Eric's tree at the latest userns-always-map-* branch at git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git but you will likely want to at least enable tmpfs mounts in user namespaces) You also need to chown the files in the container rootfs into the mapped range. There is a utility at https://code.launchpad.net/~serge-hallyn/+junk/nsexec to do this. uidmapshift does the chowning, while the container-userns-convert script nicely wraps that program. So I simply sudo lxc-create -t ubuntu -n r1 sudo container-userns-convert r1 200000 will create a container which is shifted so uid 0 in the container is uid 200000 on the host. TODO: when doing setuid(0), need to only do that if 0 is one of the ids we map to. Similarly, when dropping capabilities, need to only not do that if 0 is one of the ids we map to. However, the question of what to do for 'weird' containers in private user namespaces is one I'm punting for later. Signed-off-by:
-
Serge Hallyn authored
This is a first step to enabling user namespaces. When starting a container in a new user namespace, the child will not have the rights to write to the cgroup fs. (We can give it that right, but don't always want to have to). At the parent, we don't want to setup_cgroups() before the child has set itself up. But we also don't want to wait until it has started running it's init, since that is racy. Therefore introduce a new sync point. The child will let the parent know when it is ready to be confined, and wait for the parent to respond that it has done so. Then the child will finish constraining itself with LSM and seccomp and execute init. Signed-off-by:
-
Serge Hallyn authored
Always unblock parent when child setup fails, rather than just exiting. Also remove a duplicate call to setup_cgroup(). We'll want it close to there for userns, but not right there - that's too late, and could happen after container init has done something bad without cgroup restrictions. Signed-off-by:
-
Christian Seiler authored
Make sure that when configuring containers that have interfaces containing multiple IP addresses they are added in the order of the configuration file (i.e. the first being the primary one) and not the reverse order. Signed-off-by:
Christian Seiler <christian@iwakd.de> Acked-by:
-
- 14 Jan, 2013 2 commits
-
-
Michael H. Warfield authored
Ok... Here's the patch again. Since Serge is removing the loglevel structure member, this patch no longer references that element. From the original description: 1) Removes run_makedev() and the call to it from conf.c per discussion. 2) Adds an lxc.hook.autodev hook. Note: This hook is very close (one routine level abstracted) from where the run_makedev was called. Anyone really rrreeeaaalllyyy needing MAKEDEV can add it in with a small shim script to do whatever they want under whatever distro they're using, so no functionality is lost there. 3) Added a number of environment variables for all the hook scripts to reference to assist in execution. Things like LXC_ROOTFS_MOUNT could be very useful but others were added as well. Room for more if anyone has an itch. All in one spot in lxc_start.c. 4) clearenv and putenv( "container=lxc" ) calls were moved to just after the "start" hook in the container just prior to actually firing up the container so we could use environment variables prior to that and have them flushed them before firing up init. Nice side effect is that you can define environment variables and then call lxc-start and have them show up in those hooks scripts. 5) I actually DID update the man page for lxc.conf! I guess I lied when I said I wouldn't get that done. [... and ...] I added the rcfile to the lxc_conf structure as suggested and moved the setenv bundle from lxc-start.c over to start.c just prior to calling run_lxc_hooks for the pre-start hook. Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by:
-
Serge Hallyn authored
The options are still supported in the lxc configuration file. However they are stored only in local variables in src/lxc/log.c, which can be read using two new functions: int lxc_log_get_level(void); const char *lxc_log_get_file(void); Changelog: jan 14: have lxc_log_init use lxc_log_set_file(), have lxc_log_set_file() take a const char *, and have it keep its own strdup'd copy of the filename. Signed-off-by:
-
- 13 Jan, 2013 1 commit
-
-
Stéphane Graber authored
In a previous change I added an ifdef for HAVE_SYS_TIMERFD_h rather than HAVE_SYS_TIMERFD_H, leading to a missing include of sys/timerfd.h on platforms that support it and ultimately to a build failure. Signed-off-by:
-
- 11 Jan, 2013 1 commit
-
-
Stéphane Graber authored
The previous implementation of the openpty check was always returning 'no' as openpty is typically defined in util. Signed-off-by:
-
