- 07 Mar, 2014 8 commits
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com>
-
S.Çağlar Onur authored
This doesn't solve the general design problem of the log.c (eg; some log lines got lost or scattered into multiple files) but at least prevent multithreaded code from crashing. Before this change something like following; sudo src/tests/lxc-test-concurrent -i 10 -j 20 was crashing nearly all the time due to 3afbcc46 as we started to set lxc.loglevel and lxc.logfile with that commit. Signed-off-by:
-
Serge Hallyn authored
This reverts commit 1da0ad1e.
-
S.Çağlar Onur authored
Signed-off-by:
-
Serge Hallyn authored
Thanks to S.Çağlar for figuring out that we needed this! Also fix a memory leak found by coverity. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Dwight Engen authored
The fds for stdin,stdout,stderr that we were leaving open for /sbin/init in the container were those from /dev/tty or lxc.console (if given), which wasn't right. Inside the container it should only have access to the pty that lxc creates representing the console. This was noticed because busybox's init was resetting the termio on its stdin which was effecting the actual users terminal instead of the pty. This meant it was setting icanon so were were not passing keystrokes immediately to the pty, and hence command line history/editing wasn't working. Fix by dup'ing the console pty to stdin,stdout,stderr just before exec()ing /sbin/init. Fix fd leak in error handling that I noticed while going through this code. Also tested with lxc.console = none, lxc.console = /dev/tty7 and no lxc.console specified. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
- 05 Mar, 2014 8 commits
-
-
Serge Hallyn authored
And add a testcase to catch regressions. Without this patch, restoring a snapshot of an overlayfs based container fails, because we do not pass in LXC_CLONE_SNAPSHOT, and overlayfs does not support clone without snapshot. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Drop the thread mutex. Set a (TLS) boolean at container start to indicate that the connection should be kept open; set it back to false only when container start is complete. Every cgm_ method opens the connection if not already open, and closes it if cgm_keep_connection is false. Signed-off-by:
-
Serge Hallyn authored
1. remove the cgm_dbus_disconnected handler. We're using a proxy anyway, and not keeping it around. 2. comment most of the cgm functions to describe when they are called, to ease locking review 3. the cgmanager mutex is now held for the duration of a connection, from cgm_dbus_connect to cgm_dbus_disconnect. 3b. so remove the mutex lock/unlock from functions which are called during container startup with the cgmanager connection already up 4. remove the cgroup_restart(). It's no longer needed since we don't daemonize while we have the cgmanager socket open. 5. report errors and return early if cgm_dbus_connect() fails 6. don't keep the cgm connection open after cgm_ops_init. I'm a bit torn on this one as it means that things like lxc-start will always connect twice. But if we do this there is no good answer, given threaded API users, on when to drop that initial connection. 7. cgm_unfreeze and nrtasks: grab the dbus connection, as we'll never have it at that point. (technically i doubt anyone will use cgmanager and utmp helper on the same host :) 8. lxc_spawn: make sure we only disconnect cgroups if they were already connected. Signed-off-by:
-
Stéphane Graber authored
This reworks the way lxc-ls works in nesting mode. In the past it'd use attach_wait's subprocess function to call itself in the container's namespace, carefully only attaching to the namespaces it needed. This works great for system containers but not so much as soon as you also need to attach to userns. Instead this fix moves all of the container listing code into a get_containers function (hence the massive diff, sorry), this function is then called recursively. For running containers, the function is called through attach_wait inside the container's namespace, for stopped container, the function is simply called recursively with a base path (container's rootfs) in an attempt to find containers that way. Communication between the parent lxc-ls and the child lxc-ls is done through a temporary fd and serialized state using json (similar to what was done using stdout in the previous implementation). As get_global_config_item unfortunately caches the values, there's no easy way to figure out what the lxcpath should be for a root container when running as non-root, so just use @LXCPATH@ for now and have python do the parsing itself. As a result, the following things now work as expected: - listing nested unprivileged containers (root containers inside unpriv) - listing nested containers when they're not running - filtering containers in nesting mode (only the first level is filtered) - copy with invalid config (used to traceback) Signed-off-by:
-
Stéphane Graber authored
get_global_config_item was added in _lxc but not mapped into lxc itself, this resolves this oversight. Signed-off-by:
-
Serge Hallyn authored
If the user maps container root to his host uid, chown_mapped_rootid tries to make the same mapping twice and gets -EINVAL. Reported-by:
Andy Whitcroft <apw@canonical.com> Signed-off-by:
-
Natanael Copa authored
Install lua files under the confiugred --prefix rather than use the pkg-config's variables LUA_INSTALL_[CL]MOD. Users will likely want user --prefix while packagers will use DESTDIR. Set the default to $datadir/lua/$LUA_VERSION for arch independent lua modules and $libdir/lua/$LUA_VERSION for arch dependant .so module. This should work for most distros. If it does not, then packagers can still do: make install lualibdir=$(pkg-config lua --variable=INSTALL_CMOD) ... This fixes #169 Signed-off-by:
Natanael Copa <ncopa@alpinelinux.org> Acked-by:
-
- 03 Mar, 2014 9 commits
-
-
Serge Hallyn authored
If clone is called from the api, the container object in memory retains the bad fs. The line is wrong, being a leftover from a previous attempt before copy_storage was moved earlier. Signed-off-by: -
Dwight Engen authored
also remove /usr special case for non-debian distros since systemd itself sets systemunitdir=$(rootprefix)/lib/systemd/system Signed-off-by:
-
Stéphane Graber authored
When adding the missing return value in Caglar's change (as discussed on the mailing-list), I set err = -1 instead or ret = -1, causing an obvious build failure... Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Only do the funky chroot_into_slave if / is in fact the rootfs. Rootfs is a special blacklisted case for pivot_root. If / is not rootfs but is shared, just mount / rslave. We're already in our own namespace. This appears to solve the extra /proc/$$/mount entries in containers and the host directories in lxc-attach which have been plagueing at least fedora and arch. Signed-off-by:
-
Serge Hallyn authored
Otherwise an interrupted clone can lead to the original rootfs being delete. There is a period during lxcapi_clone during which we have written down a temporary configuration file on disk, for the new container, using the old rootfs. Interruption of clone doesn't allow us to do the cleanup we do in error paths, so a subsequent lxc-destroy removes the old rootfs. Fix this by doing the copy_storage as early as possible, and not writing down the rootfs when we write down the temporary configuration file. (note - I tested this by putting a series of 'if (strcmp(newname, "u%d") == 0) exit(1)' inline to trigger interruption between most blocks. If someone has a good idea for a generic way to regression-test this henceforth that'd be great) See https://bugs.launchpad.net/lxc/+bug/1285850Signed-off-by:
-
S.Çağlar Onur authored
fixes #131 changes since v1; * uses btrfs snapshot feature only if src and dest are on same fs Signed-off-by:
-
Serge Hallyn authored
There are only a few times when we need to be connected to the cgroup manager: * when starting a container, from cgm_init until we've set cgroup limits * when changing a cgroup setting (while running) * when cleaning up (when shutting down) * around the cgroup entering at attach So only connect/disconnect the cgmanager socket on-demand as needed. This should have a few benefits. 1. Reduce the # open fds when many containers are running 2. if cgmanager is stopped and restarted, the container doesn't have to deal with the disconnection. This is currently RFC. There are a few issues outstanding: 1. the cgm_set and cgm_get may need to be made thread-safe. 2. a non-daemonized start which fails while cgm is connected, will not disconnected. Signed-off-by:
-
Johannes Kastl authored
Signed-off-by:
Johannes Kastl <git@ojkastl.de> Acked-by:
-
- 01 Mar, 2014 2 commits
-
-
Stéphane Graber authored
The use of a subshell was causing various failures, re-arrange not to use one. Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
- 27 Feb, 2014 7 commits
-
-
Stéphane Graber authored
This change makes it possible to create unprivileged containers as root. They will be stored in the usual system wide location, use the usual system wide cache but will be running using a uid/gid map. This also updates lxc_usernsexec to use the same function as the rest of LXC, centralizing all the userns switch in a single function. That function now detects the presence of newuidmap and newgidmap on the system, if they are present, they will be used for containers created as either user or root. If they're not and the user isn't root, an error is shown. If they're not and the user is root, LXC will directly set the uid_map and gid_map values. All that should allow for a consistent experience as well as supporting distributions that don't yet ship newuidmap/newgidmap. To make things simpler in the future, an helper function "on_path" is also introduced and used to detect the presence of newuidmap and newgidmap. Signed-off-by:
-
Stéphane Graber authored
In the case where /var/lib/lxc itself was not accessible, print_top_failing_dir would fail to print the error message. This fixes it and also change the initial access check for X_OK instead of R_OK (to match what we actually need and print_top_failing_dir's own check). Signed-off-by:
-
Stéphane Graber authored
The previous change fixed parsing of multiple uid/gid ranges by using a while loop, however a failure in that loop will cause the script to exit (due to -e), so we need to ignore the return value of the commands inside that loop. Signed-off-by: -
S.Çağlar Onur authored
Signed-off-by:
-
Vitaly Lavrov authored
The container with "lxc.network.type=phys" halted with error on reboot. Error message: *** glibc detected *** lxc-start: realloc(): invalid pointer: 0x0948eed0 *** We have a sequence: 1) conf->saved_nic = relloc(NULL) on start start.c:container save_phys_nics() 2) free(conf->saved_nics) after stop container conf.c:lxc_rename_phys_nics_on_shutdown() 3) conf->saved_nic = relloc(conf->saved_nics) on restart container start.c:save_phys_nics() -> error relloc() free(conf->saved_nics) in lxc_rename_phys_nics_on_shutdown() unnecessary, it will be called later in lxc_clear_saved_nics(). Signed-off-by:
Vitaly Lavrov <vel21ripn@gmail.com> Acked-by:
-
Dwight Engen authored
When booting an OL7 container on OL6, systemd in the OL7 container mounted some extra cgroup controllers, which are then present in /proc/self/cgroups of every task on the host. This is the list used by attach to determine which cgroups to move the attached task into, but when it asks the container over the command interface for the path to the subsystem this will fail since the controller didn't exist when the container was first started. Instead of failing, this change allows the attach to continue, warning that those cgroups that could not be found won't be attached to. The problem can be more simply reproduced by starting a busybox container, mounting a cgroup that was not previously mounted, and then attempting to attach to to the busybox container. The problem will likely not manifest with cgmanager since it only requests the path for the first controller, which is likely to always be mounted. Signed-off-by:
-
Stéphane Graber authored
This adds yet another case in the in_userns function detecting the case where an unprivileged container is created by the real uid 0, in which case we want to share the system wide cache but still use the unprivileged templates and unpack method. Signed-off-by:
-
- 26 Feb, 2014 1 commit
-
-
Stéphane Graber authored
Without this change, a request to *.LXC_DOMAIN that doesn't get a local result from dnsmasq will be forwarded to its upstream server with the potential of a loop. Thanks to Ed for the patch on Launchpad (LP: #1246094). Reported-by: Ed Swierk Signed-off-by:
-
- 25 Feb, 2014 5 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
With this change it's now possible to add wlan devices to the container. This will track down the right phy device, move it to the right namespace (we don't care about its name), then if the user asked for a new device name for the actual interface, we attach to the container and rename the interface in there using attach. I have tested this to work with both Intel and Atheros NICs. This patch is based on the one provided to lxc-devel by Gregor Beck and has then been updated to do the device renaming as well as minor code style changes. Thanks! Reported-by:
Gregor Beck <gbeck@sernet.de> Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
(this expands on Dwight's recent patch, commit c597baa8) After unshare(CLONE_NEWNS) and before doing any mounting, always check whether rootfs is shared. Otherwise template runs or clone scripts can bleed mount activity to the host. Signed-off-by:
-
Serge Hallyn authored
Note that if a task other than init violates the seccomp policy, we cannot catch that. Init will catch it and (if it feels like it) log it. Signed-off-by:
-
