- 25 6月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Introduce a new syntax for filesystems to allow use of a RAM filesystem <filesystem type='ram'> <source usage='10' units='MiB'/> <target dir='/mnt'/> </filesystem> The usage units default to KiB to limit consumption of host memory. * docs/formatdomain.html.in: Document new syntax * docs/schemas/domaincommon.rng: Add new attributes * src/conf/domain_conf.c: Parsing/formatting of RAM filesystems * src/lxc/lxc_container.c: Mounting of RAM filesystems Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 19 6月, 2012 4 次提交
-
-
由 Gao feng 提交于
when lxcContainerIdentifyCGroups failed, the memory it allocated has been freed, so we should not free this memory again in lxcContainerSetupPivortRoot and lxcContainerSetupExtraMounts. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
print debug info "container support is enabled" when host support the user or net namespace. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
kill the "return 0;" code, it will cause memory leak. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Eric Blake 提交于
Introduced in commit 1f8c33b6. * src/lxc/lxc_container.c (lxcContainerGetSubtree): Avoid TAB.
-
- 18 6月, 2012 2 次提交
-
-
由 Gao feng 提交于
when libvirt_lxc trigger oom error in lxcContainerGetSubtree we should free the alloced memory for mounts. so when lxcContainerGetSubtree failed,we should do some memory cleanup in lxcContainerUnmountSubtree. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
we alloc the memory for format in lxcContainerMountDetectFilesystem but without free it in lxcContainerMountFSBlockHelper. this patch just call VIR_FREE to free it. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 15 6月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
This reverts commit c16b4c43 Author: Daniel P. Berrange <berrange@redhat.com> Date: Fri May 11 15:09:27 2012 +0100 Avoid LXC pivot root in the root source is still / This commit broke setup of /dev, because the code which deals with setting up a private /dev and /dev/pts only works if you do a pivotroot. The original intent of avoiding the pivot root was to try and ensure the new root has a minimumal mount tree. The better way todo this is to just unmount the bits we don't want (ie old /proc & /sys subtrees. So apply the logic from commit c529b47a Author: Daniel P. Berrange <berrange@redhat.com> Date: Fri May 11 11:35:28 2012 +0100 Trim /proc & /sys subtrees before mounting new instances to the pivot_root codepath as well
-
- 11 6月, 2012 3 次提交
-
-
由 Gao feng 提交于
we forgot to free fslist,just add VIR_FREE(fslist). Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
when do remount,the source and target should be the same values specified in the initial mount() call. So change fs->dst to src. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
There is no code use the variable "src" in lxcContainerMountBasicFS. so delete it and VIR_FREE. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 16 5月, 2012 5 次提交
-
-
由 Daniel P. Berrange 提交于
Normal practice is for cgroups controllers to be mounted at /sys/fs/cgroup. When setting up a container, /sys is mounted with a new sysfs instance, thus we must re-mount all the cgroups controllers. The complexity is that we must mount them in the same layout as the host OS. ie if 'cpu' and 'cpuacct' were mounted at the same location in the host we must preserve this in the container. Also if any controllers are co-located we must setup symlinks from the individual controller name to the co-located mount-point Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Both /proc and /sys may have sub-mounts in them from the host OS. We must explicitly unmount them all before mounting the new instance over that location. If we don't then /proc/mounts will show the sub-mounts as existing, even though nothing will be able to access them, due to the over-mount. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
If the LXC config has a filesystem <filesystem> <source dir='/'/> <target dir='/'/> </filesystem> then there is no need to go down the pivot root codepath. We can simply use the existing root as needed. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it. Do the same for selinuxfs since there is no benefit to bind mounting & this lets us simplify the code. * src/lxc/lxc_container.c: Mount fresh sysfs instance Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
Instead of hardcoding use of SELinux contexts in the LXC driver, switch over to using the official security driver API. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 01 5月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Once lxcContainerSetStdio is invoked, logging will not work as expected in libvirt_lxc. So make sure this is the last thing to be called, in particular after setting the security process label
-
- 30 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The code is splattered with a mix of sizeof foo sizeof (foo) sizeof(foo) Standardize on sizeof(foo) and add a syntax check rule to enforce it Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 27 3月, 2012 2 次提交
-
-
由 Daniel P. Berrange 提交于
Pass argv to the init binary of LXC, using a new <initarg> element. * docs/formatdomain.html.in: Document <os> usage for containers * docs/schemas/domaincommon.rng: Add <initarg> element * src/conf/domain_conf.c, src/conf/domain_conf.h: parsing and formatting of <initarg> * src/lxc/lxc_container.c: Setup LXC argv * tests/Makefile.am, tests/lxcxml2xmldata/lxc-systemd.xml, tests/lxcxml2xmltest.c, tests/testutilslxc.c, tests/testutilslxc.h: Test parsing/formatting of LXC related XML parts
-
由 Daniel P. Berrange 提交于
The SELinux mount point moved from /selinux to /sys/fs/selinux when systemd came along. * configure.ac: Probe for SELinux mount point * src/lxc/lxc_container.c: Use SELinux mount point determined by configure.ac
-
- 16 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
If no <interface> elements are included in an LXC guest XML description, then the LXC guest will just see the host's network interfaces. It is desirable to be able to hide the host interfaces, without having to define any guest interfaces. This patch introduces a new feature flag <privnet/> to allow forcing of a private network namespace for LXC. In the future I also anticipate that we will add <privuser/> to force a private user ID namespace. * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support for <privnet/> feature. Auto-set <privnet> if any <interface> devices are defined * src/lxc/lxc_container.c: Honour request for private network namespace
-
- 15 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Systemd has declared that all container virtualization technologies should set 'container_uuid' to identify themselves. http://cgit.freedesktop.org/systemd/systemd/commit/?id=09b967eaa51a39dabb7f238927f67bd682466dbc
-
- 29 2月, 2012 1 次提交
-
-
由 Martin Kletzander 提交于
Just a cleanup of commit 32f881c6.
-
- 09 2月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Some applications expect /dev/std{in,out,err} to exist. Populate them during container startup as symlinks to /proc/self/fd
-
- 04 2月, 2012 1 次提交
-
-
由 Philipp Hahn 提交于
compat{a->i}bility erron{->e}ous nec{c->}essary. Either "the" or "a". Signed-off-by: NPhilipp Hahn <hahn@univention.de>
-
- 03 2月, 2012 3 次提交
-
-
由 Martin Kletzander 提交于
This patch fixes the access of variable "con" in two files where the variable was declared only on SELinux builds and thus the build failed without SELinux. It's a rather nasty fix but helps fix the build quickly and without any major changes to the code.
-
由 Daniel P. Berrange 提交于
To allow the container to access /dev and /dev/pts when under sVirt, set an explicit mount option. Also set a max size on the /dev mount to prevent DOS on memory usage * src/lxc/lxc_container.c: Set /dev mount context * src/lxc/lxc_controller.c: Set /dev/pts mount context
-
由 Daniel P. Berrange 提交于
For the sake of backwards compat, LXC guests are *not* confined by default. This is because it is not practical to dynamically relabel containers using large filesystem trees. Applications can create confined containers though, by giving suitable XML configs * src/Makefile.am: Link libvirt_lxc to security drivers * src/lxc/libvirtd_lxc.aug, src/lxc/lxc_conf.h, src/lxc/lxc_conf.c, src/lxc/lxc.conf, src/lxc/test_libvirtd_lxc.aug: Config file handling for security driver * src/lxc/lxc_driver.c: Wire up security driver functions * src/lxc/lxc_controller.c: Add a '--security' flag to specify which security driver to activate * src/lxc/lxc_container.c, src/lxc/lxc_container.h: Set the process label just before exec'ing init.
-
- 25 1月, 2012 2 次提交
-
-
由 Eric Blake 提交于
Systemd detects containers based on whether they have an environment variable starting with 'container=lxc'; using a longer name fits the expectations, while also allowing detection of who created the container. Requested by Lennart Poettering, in response to https://bugs.freedesktop.org/show_bug.cgi?id=45175 * src/lxc/lxc_container.c (lxcContainerBuildInitCmd): Add another env-var.
-
由 Daniel P. Berrange 提交于
The current setup code for LXC is bind mounting /dev/pts/ptmx on top of a character device /dev/ptmx. This is denied by SELinux policy and is just wrong. The target of a bind mount should just be a plain file * src/lxc/lxc_container.c: Don't bind /dev/pts/ptmx onto a char device
-
- 18 1月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Given an LXC guest with a root filesystem path of /export/lxc/roots/helloworld/root During startup, we will pivot the root filesystem to end up at /.oldroot/export/lxc/roots/helloworld/root We then try to open /.oldroot/export/lxc/roots/helloworld/root/dev/pts Now consider if '/export/lxc' is an absolute symlink pointing to '/media/lxc'. The kernel will try to open /media/lxc/roots/helloworld/root/dev/pts whereas it should be trying to open /.oldroot//media/lxc/roots/helloworld/root/dev/pts To deal with the fact that the root filesystem can be moved, we need to resolve symlinks in *any* part of the filesystem source path. * src/libvirt_private.syms, src/util/util.c, src/util/util.h: Add virFileResolveAllLinks to resolve all symlinks in a path * src/lxc/lxc_container.c: Resolve all symlinks in filesystem paths during startup
-
- 15 11月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Move the virNetDevSetName and virNetDevSetNamespace APIs out of LXC's veth.c and into virnetdev.c. Move the remaining content of the file to src/util/virnetdevveth.c * src/lxc/veth.c: Rename to src/util/virnetdevveth.c * src/lxc/veth.h: Rename to src/util/virnetdevveth.h * src/util/virnetdev.c, src/util/virnetdev.h: Add virNetDevSetName and virNetDevSetNamespace * src/lxc/lxc_container.c, src/lxc/lxc_controller.c, src/lxc/lxc_driver.c: Update include paths
-
由 Daniel P. Berrange 提交于
The src/lxc/veth.c file contains APIs for managing veth devices, but some of the APIs duplicate stuff from src/util/virnetdev.h. Delete thed duplicate APIs and rename the remaining ones to follow virNetDevVethXXXX * src/lxc/veth.c, src/lxc/veth.h: Rename APIs & delete duplicates * src/lxc/lxc_container.c, src/lxc/lxc_controller.c, src/lxc/lxc_driver.c: Update for API renaming
-
- 12 11月, 2011 1 次提交
-
-
由 Eric Blake 提交于
* .gnulib: Update to latest, for improved syntax-check. * src/lxc/lxc_container.c (includes): Drop unused include. * src/network/bridge_driver.c: Likewise. * src/node_device/node_device_linux_sysfs.c: Likewise. * src/openvz/openvz_driver.c: Likewise. * src/qemu/qemu_conf.c: Likewise. * src/storage/storage_backend_iscsi.c: Likewise. * src/storage/storage_backend_mpath.c: Likewise. * src/uml/uml_conf.c: Likewise. * src/uml/uml_driver.c: Likewise.
-
- 03 11月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
Currently the LXC controller only supports setup of a single text console. This is wired up to the container init's stdio, as well as /dev/console and /dev/tty1. Extending support for multiple consoles, means wiring up additional PTYs to /dev/tty2, /dev/tty3, etc, etc. The LXC controller is passed multiple open file handles, one for each console requested. * src/lxc/lxc_container.c, src/lxc/lxc_container.h: Wire up all the /dev/ttyN links required to symlink to /dev/pts/NN * src/lxc/lxc_container.h: Open more container side /dev/pts/NN devices, and adapt event loop to handle I/O from all consoles * src/lxc/lxc_driver.c: Setup multiple host side PTYs
-
- 02 11月, 2011 5 次提交
-
-
由 Daniel P. Berrange 提交于
The LXC code for mounting container filesystems from block devices tries all filesystems in /etc/filesystems and possibly those in /proc/filesystems. The regular mount binary, however, first tries using libblkid to detect the format. Add support for doing the same in libvirt, since Fedora's /etc/filesystems is missing many formats, most notably ext4 which is the default filesystem Fedora uses! * src/Makefile.am: Link libvirt_lxc to libblkid * src/lxc/lxc_container.c: Probe filesystem format with libblkid
-
由 Daniel P. Berrange 提交于
If we looped through /etc/filesystems trying to mount with each type and failed all options, we forget to actually raise an error message. * src/lxc/lxc_container.c: Raise error if unable to detect the filesystems. Also fix existing error message
-
由 Daniel P. Berrange 提交于
The kernel automounter is mostly broken wrt to containers. Most notably if you start a new filesystem namespace and then attempt to unmount any autofs filesystem, it will typically fail with a weird error message like Failed to unmount '/.oldroot/sys/kernel/security':Too many levels of symbolic links Attempting to detach the autofs mount using umount2(MNT_DETACH) will also fail with the same error. Therefore if we get any error on unmount()ing a filesystem from the old root FS when starting a container, we must immediately break out and detach the entire old root filesystem (ignoring any mounts below it). This has the effect of making the old root filesystem inaccessible to anything inside the container, but at the cost that the mounts live on in the kernel until the container exits. Given that SystemD uses autofs by default, we need LXC to be robust this scenario and thus this tradeoff is worthwhile. * src/lxc/lxc_container.c: Detach root filesystem if any umount operation fails.
-
由 Daniel P. Berrange 提交于
The /etc/filesystems file can contain a '*' on the last line to indicate that /proc/filessystems should be tried next. We have a check that this '*' only occurs on the last line. Unfortunately when we then start reading /proc/filesystems, we mistakenly think we've seen '*' in /proc/filesystems and fail * src/lxc/lxc_container.c: Skip '*' validation when we're reading /proc/filesystems
-
由 Daniel P. Berrange 提交于
Only some of the return paths of lxcContainerWaitForContinue will have set errno. In other paths we need to set it manually to avoid the caller getting a random stale errno value * src/lxc/lxc_container.c: Set errno in lxcContainerWaitForContinue
-