Signed-off-by: NOlga Krishtal <okrishtal@virtuozzo.com>

This patch takes the code out of
lxcContainerRenameAndEnableInterfaces() that adds all IP addresses and
IP routes to the interface, and puts it into a utility function
virNetDevIPInfoAddToDev() in virnetdevip.c so that it can be used by
anyone.

One small change in functionality -
lxcContainerRenameAndEnableInterfaces() previously would add all IP
addresses to the interface while it was still offline, then set the
interface online, and then add the routes. Because I don't want the
utility function to set the interface online, I've moved this up so
the interface is first set online, then IP addresses and routes are
added. This is the same order that the network service from
initscripts (in ifup-ether) does it, so it shouldn't pose any problem
(and hasn't, in the tests that I've run).

(This patch had been pushed earlier in commit
f1e0d0da, but was reverted in commit
05eab475 because it had been
accidentally pushed during the freeze for release 2.0.0)

This reverts commit f1e0d0da.

This feature was accidentally pushed in the feature freeze.

This patch takes the code out of
lxcContainerRenameAndEnableInterfaces() that adds all IP addresses and
IP routes to the interface, and puts it into a utility function
virNetDevIPInfoAddToDev() in virnetdevip.c so that it can be used by
anyone.

One small change in functionality -
lxcContainerRenameAndEnableInterfaces() previously would add all IP
addresses to the interface while it was still offline, then set the
interface online, and then add the routes. Because I don't want the
utility function to set the interface online, I've moved this up so
the interface is first set online, then IP addresses and routes are
added. This is the same order that the network service from
initscripts (in ifup-ether) does it, so it shouldn't pose any problem
(and hasn't, in the tests that I've run).

It makes more sense to have the logging at the lower level so other
callers can share the goodness.

While removing so much stuff from / touching so many lines in
lxcContainerRenameAndEnableInterfaces() (which used to have this
debug/error logging), label names were changed and it was updated to
use the now-more-common method of initializing ret to -1 (failure),
then setting to 0 right before the cleanup label.

All the same information was already there, just in slightly different
places in the virDomainNetDef.

These functions all need to be called from a utility function that
must be located in the util directory, so we move them all into
util/virnetdevip.[ch] now that it exists.

Function and struct names were appropriately changed for the new
location, but all code is unchanged aside from motion and renaming.

This patch splits virnetdev.[ch] into multiple files, with the new
virnetdevip.[ch] containing all the functions related to setting and
retrieving IP-related info for a device (both addresses and routes).

Commit c9a641 (first appearred in 1.2.12) added support for setting
the guest-side IP address of veth devices in lxc domains.
Unfortunately, it hardcoded the assumption that the proper prefix for
any IP address with no explicit prefix in the config should be "24";
that is only correct for class C IPv4 addresses, but not for any other
IPv4 address, nor for any IPv6 address.

The good news is that there is already a function in libvirt that will
determine the proper default prefix for any IP address. This patch
replaces the use of the ill-fated VIR_SOCKET_ADDR_DEFAULT_PREFIX with
calls to virSocketAddrGetIPPrefix().

lxcContainerRenameAndEnableInterfaces() isn't making a copy of the
interface's ifname_guest (into newname), it's just copying the pointer
to it. This means that when it later calls VIR_FREE(newname), it's
actually freeing up (and fortunately NULLing out, so at least we don't
try to access free'd memory) netDef->ifname_guest.

I'm tired of mistyping this all the time, so let's do it the same all
the time (similar to how we changed all "Pci" to "PCI" awhile back).

(NB: I've left alone some things in the esx and vbox drivers because
I'm unable to compile them and they weren't obviously *not* a part of
some API. I also didn't change a couple of variables named,
e.g. "somethingIptables", because they were derived from the name of
the "iptables" command)

Convert to virGetLastErrorMessage() in the rest of the code

This reverts commit afee47d0, which
added support to lxc for the "peer" attribute in domain interface <ip>
elements.

It's being removed temporarily for the release of libvirt 1.3.4
because the feature doesn't work, and there are concerns that it may
need to be modified in an externally visible manner which could create
backward compatibility problems.

Signed-off-by: NVasiliy Tolstov <v.tolstov@selfip.ru>

Signed-off-by: NVasiliy Tolstov <v.tolstov@selfip.ru>

On the host when we start a container, it will be
placed in a cgroup path of

   /machine.slice/machine-lxc\x2ddemo.scope

under /sys/fs/cgroup/*

Inside the containers' namespace we need to setup
/sys/fs/cgroup mounts, and currently will bind
mount /machine.slice/machine-lxc\x2ddemo.scope on
the host to appear as / in the container.

While this may sound nice, it confuses applications
dealing with cgroups, because /proc/$PID/cgroup
now does not match the directory in /sys/fs/cgroup

This particularly causes problems for systems and
will make it create repeated path components in
the cgroup for apps run in the container eg

  /machine.slice/machine-lxc\x2ddemo.scope/machine.slice/machine-lxc\x2ddemo.scope/user.slice/user-0.slice/session-61.scope

This also causes any systemd service that uses
sd-notify to fail to start, because when systemd
receives the notification it won't be able to
identify the corresponding unit it came from.
In particular this break rabbitmq-server startup

Future kernels will provide proper cgroup namespacing
which will handle this problem, but until that time
we should not try to play games with hiding parent
cgroups.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Instead of creating symlinks, bind mount the devices to
/dev/pts/XY.
Using bind mounts it is no longer needed to add pts devices
to files like /etc/securetty.
Signed-off-by: NRichard Weinberger <richard@nod.at>

Userspace does not expect that the initial console
is a controlling TTY. systemd can deal with that, others not.
On sysv init distros getty will fail to spawn a controlling on
/dev/console or /dev/tty1. Which will cause to whole container
to reboot upon ctrl-c.

This patch changes the behavior of libvirt to match the kernel
behavior where the initial TTY is also not controlling.

The only user visible change should be that a container with
bash as PID 1 would complain. But this matches exactly the kernel
be behavior with init=/bin/bash.
To get a controlling TTY for bash just run "setsid /bin/bash".
Signed-off-by: NRichard Weinberger <richard@nod.at>

Commit id '692e9fac' used virProcessSetNamespaces instead of inlining
the similar functionality; however, Coverity notes that the function
prototype expects a size_t value and not an enum and complains. So,
just typecast the enum as a size_t to avoid the noise.

After my previous commit this commit is no longer needed.

This reverts commit eff95ac8.

Now that virProcessSetNamespaces() does accept FD list in the
correct format, we can simply turn lxcAttachNS into calling
virProcessSetNamespaces().
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Commit id 'c27553b6' added a return -1 in a failure path without
the necessary VIR_FREE(stack)

Older versions of glibc don't provide the setns() syscall
function wrapper, so we must define it ourselves to prevent
build failure on old distros.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This patch adds feature for lxc containers to inherit namespaces.
This is very similar to what lxc-tools or docker provides.  Look
for "man lxc-start" and you will find that you can pass command
args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
networking option in which you can give --net=container:NAME_or_ID
as an option for sharing +namespace.

>From this patch you can add extra libvirt option to share
namespace in following way.

 <lxc:namespace>
   <lxc:sharenet type='netns' value='red'/>
   <lxc:shareipc type='pid' value='12345'/>
   <lxc:shareuts type='name' value='container1'/>
 </lxc:namespace>

The netns option is specific to sharenet. It can be used to
inherit from existing network namespace.

Co-authored: Daniel P. Berrange <berrange@redhat.com>

Future kernels will mandate the use of nosuid+nodev+noexec
flags when mounting the /proc/sys filesystem. Unconditionally
add them now since they don't harm things regardless and could
mitigate future security attacks.

Upping an interface for no reason and not configuring it is a cardinal sin.

With the default addrgenmode if eui64 it sticks a link-local address to the
interface. That is not good, as NetworkManager would see an address configured,
assume the interface is already configured and won't touch it iself and the
interface might stay unconfigured until the end of the days.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1124721Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Add more logging to the lxc controller and container files to
facilitate debugging startup problems. Also make it clear when
the container is going to close stdout and thus no longer do
any logging.

Reported and patch provided by Bastian Blank at

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769600

Don't activate LXC network device if <link state='down'/> has been set
in its configuration.

Actually set routes in lxc containers if there are defined ones.

Uses the new virDomainNetDef ips to set the IP addresses on the network
interfaces in the container.

Some programs want to change some values for the network interfaces
configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
allows wicked to work on openSUSE 13.2+.

Reusing the lxcNeedNetworkNamespace function to tell
lxcContainerMountBasicFS if the netns is disabled. When no netns is
set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as
these would provide full access to the host NICs config.

virReportSystemError is reserved for reporting system errors, calling it
with VIR_ERR_* error codes produces error messages that do not make any
sense, such as

    internal error: guest failed to start: Kernel doesn't support user
    namespace: Link has been severed

We should prohibit wrong usage with a syntax-check rule.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>

The typical case where we had a problem is with such a filesystem
definition as created by virt-sandbox-service:

    <filesystem type='bind' accessmode='passthrough'>
      <source dir='/var/lib/libvirt/filesystems/mysshd/var'/>
      <target dir='/var'/>
    </filesystem>

In this case, we don't want to unmount the /var subtree or we may
loose the access to the source folder.

Resolving symlinks can fail before mounting any file system if one file
system depends on another being mounted. Symlinks are now resolved in
two passes:

  * Before any file system is mounted, but then we are more gentle if
    the source path can't be accessed
  * Right before mounting a file system, so that we are sure that we
    have the resolved path... but then if it can't be accessed we raise
    an error.

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

A domain without a console quietly dies soon after start,
because we try to set /dev/null as a controlling TTY
2014-10-30 15:10:59.705+0000: 1: error : lxcContainerSetupFDs:283 :
ioctl(TIOCSCTTY) failed: Inappropriate ioctl for device

Report an error early instead of trying to start it.

https://bugzilla.redhat.com/show_bug.cgi?id=1155410