src/lib/cap.c: fix build with older userspaceWhen building on RHEL5, the following error appears:
> cap.c: In function 'set_cap_bound':
> cap.c:213: error: 'PR_CAPBSET_DROP' undeclared (first use in this function)
> cap.c:213: error: (Each undeclared identifier is reported only once
> cap.c:213: error: for each function it appears in.)
Fix as usual.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
[upstream] vzctl stop: wait for tasks to vanish before considering empty completeWe are currently facing problems because by the time we finish
empty_container, some tasks may still be on their way to process the
kill signal we just issued. A start / stop sequence can fail to cleanup
the container due to that, and the same problem affects restart.
Signed-off-by: Glauber Costa <glommer@parallels.com>
arch-del_ip.sh: fix after commit b9eb9fd... which changed CFGFILE= to OLDCFGFILE= but forgot to change
its references. Sigh.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
arch-del_ip.sh: fixFrom the bug reporter:
> interface lines in /etc/rc.conf:
>
> venet0_0="venet0:0 173.245.4.250 netmask 255.255.255.255 broadcast 0.0.0.0"
> venet0_1="venet0:1 10.10.10.12 netmask 255.255.255.255 broadcast 0.0.0.0"
>
> due to 'grep -B 1 -e "\\<${_IP}>\\" ${CFGFILE}'
>
> 'venet0_0
> venet0_1'
>
> is used as argument for del_param() and ifdown, first one reports
> incorrect syntax in sed expressi...
vzctl won't work with ploop-1.4But since we don't really want ploop-lib as a dependency
(because since vzctl is able to load ploop lib dynamically)
we just specify Conflicts with older version.
So, if ploop-lib < 1.5 is installed, vzctl installation will
complain (and yum will probably try to resolve it),
and if ploop-lib is not installed -- nothing will happen.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzmigrate: fix bashismOoops... commit 24a78bb3d9a introduced bashism (using == instead of =
when comparing strings in [ ]) and therefore the fix was only working
in bash not dash.
http://bugzilla.openvz.org/2316
http://bugzilla.openvz.org/2356
Reported-by: Kalin Bogatzevski <kalin@bul.net>
vzctl mount,destroy,snapshot-list: error out for too many argumentsDo not silently ignore extra (unneeded) arguments, print an error and fail.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
init.d/vz: deduce /vz from VE_ROOT/VE_PRIVATEThis is an improvement to commit 4733497. Instead of assuming
that VE_ROOT and VE_PRIVATE is under /vz, find out their common
prefix and use it. In case there's no common prefix (i.e. it is /)
we do nothing.
http://bugzilla.openvz.org/2361
Reported-by: Paparaciz <helpaz@gmail.com>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl mount: implement pivot_root() for upstream CTInstead of just doing chroot(), we do pivot_root() and then umount
those mounts that came from the parent mount namespace.
pivot_root() is better because, unlike chroot(), there is no way to
escape. In addition, this should make our CT checkpointable by
crtools (http://criu.org).
umount_old() implementation inspired by
* lxc tools (src/lxc/conf.c)
* libvirt (src/lxc/lxc_container.c)
* crtoo...
vzctl status: do not show 'suspended' for running containerIt made little sense and was looking strange.
Fix man page accordingly.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl status: do not show 'mounted' in error caseThe fact that vps_is_mounted() returned an error (-1)
doesn't mean we should tell CT is mounted. Check for 1
explicitly.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
setver.sh: add ability to specify -U or -FSo from now on -i, -U and -F has the same meaning as to rpm
(install, build, freshen).
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
cleanup container before startupRight now, we can leak some values from one run to another, if for any
reason this container is still represented in the cgroup filesystem.
This means that one-time configuration from the previous run can
potentially stay, specially if there aren't any saved value for the
said property.
A robust and conservative approach is to make sure that everything
related to our container is always cleane...
fix error code in empty containerIf the cgroup does not exist, we rightfully refrain from proceeding in
this function. But we still return an error. This function should return
success in this case.
Signed-off-by: Glauber Costa <glommer@parallels.com>
make sure destroy_container really destroys itBecause libcgroup is heavily cached and operates in its in-memory
data structures, cgroup deletion doesn't really work these days.
We see no error message, but the hierarchies are still present in
the filesystem.
For that, we need to make sure that all controllers are in sync with
the on-disk version. We do this by issuing cgroup_get_cgroup() before
deletion. If that returns an error because t...
fix a leak in task additionWhile reading the code, debugging a different problem, I noticed
that we can leak a cgroup structure if container_add_task fails.
This patch should fix it.
Signed-off-by: Glauber Costa <glommer@parallels.com>
make container_is_running more robustThe current logic we use to test if the container is running is
to check if the container exist in the cgroup filesystem. If it does,
we check if there are tasks left in any of those controllers.
If works well, assuming we are in control all the time.
Kir demonstrated that this fails if someone removes one of the
controllers from the hierarchy. In that case we'll fail because the
controller do...
postcreate.sh: check if file exists before setting fattrFrom the bug reporter:
template does not have /usr/sbin/suexec inside.
[root@backup01-va]# vzctl create 6546
...
Creating container private area (fedora-minimal-15-x86)
Performing postcreate actions
setfattr: /vz/root/6546/usr/sbin/suexec: No such file or directory
CT configuration saved to /etc/vz/conf/6546.conf
Container private area was created
http://bugzilla.openvz.org/2363
Rep...
implement setdevpermThis patch implements the still missing setdevperm for upstream
Linux containers.
We currently live in a situation where devices are unrestricted
inside the container. In order to restrict accesses to devices, we'll
use the device cgroup. By default, we give the container a restrictive
set of enabled devices, mostly comprised by /dev/zero, /dev/null,
/dev/console, and pts.
With that in place,...
change header of cgroup configuration functionWe were deadling with mostly long quantities up to now. When we start
dealing with the device cgroup, it is a lot more convenient to pass a
string (passing the struct dev directly would also work).
So as a first step, change the function signature to accept a void
pointer instead. We provide a val = _val void-to-ulong translation to
minimize disruption to the rest of the code
Signed-off-by: G...
Do not enclose all containers in a vz directoryIt could be interesting to keep the vz/ directory in cgroups
filesystem; both for organization and to allow admins to apply
restrictions to the whole set of containers. That is why we have been
doing it this way so far.
There is, however, general upstream acceptance that this should be
avoided. Although it seems to the outside as a merely grouping facility,
there are costs associated with this...
vzctl stop: do not clean up IPs for upstream CTThis hides the error message when stopping CT:
# vzctl stop 111 --fast
Directory /proc/vz not found, assuming non-OpenVZ kernel
>>>> Unable to open /proc/vz/veinfo: No such file or directory
Killing container ...
Container was stopped
Container is unmounted
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl: hide '/usr/sbin/vzquota not found' messagevzquota can only be used for OpenVZ kernel and simfs layout.
In most places we fixed it by disabling quota for upstream
case, but here in fsumount we should try to turn off
quota regardless of the setting (to be able to turn off
quota on a container for which we disabled it after start).
Now, with vzctl-core vzctl can be used on upstream containers
without vzquota, and vzquota binary is not av...
vzctl.spec: move bash-completion script from -core to main pkgbash-completion relies heavily on vzlist, which is not in -core.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl set --diskinodes: warn it's ignored on ploopThe fact that --diskinodes is ignored for ploop CTs is
mentioned in vzctl(8), but it's way more effective to tell
it right then a user tries to set it.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
cap: restrict capabilities by a bounding setA bounding set restricts a file capabilities.
P'(permitted) = (P(inheritable) & F(inheritable)) |
(F(permitted) & cap_bset).
Take into account a follow statement from man capabilities:
"""
When a process execve(2)s a set-user-ID-root program, it gains
all capabilities in its permitted and effective capability sets,
except those masked out by the capability bounding ...
Change mount to a symlink for /var/run/netns fileAlthough the documentation for ip suggests that the file
in /var/run/netns should be a bind mount of the /proc file, it also
claims that:
1) Any fd will do
2) This will keep the reference to the namespace open until one umounts.
We don't really need to assert 2). After the container is dead, we have
no business with its namespace. If the container dies, for instance,
without having the chance...
read_elf(): eliminate race condition when checking /sbin/initFrom Vasily (http://openvz.org/pipermail/devel/2012-July/028877.html):
stat()+open() is not atomic in the code below, so there is a race
condition. A container root may change /sbin/init between these calls
to e.g. FIFO and then make the vzctl's process hang up on read().
I'd add O_NOCTTY to open's flags and change stat() before open() to
fstat() just after open().
Fix according to the...
dists: add distribution config file for Alpine LinuxAlpine Linux is a lightweight distribution built on top of uClibc and Busybox, with
Debian-like network configuration.
Signed-off-by: William Pitcock <william.pitcock@enzu.com>
init.d/vz: Add /vz to PRUNEPATHS in /etc/updatedb.confSo updatedb won't:
1 clog its database with lots of file entries
2 interfere with vzctl umount
TODO: same functionality for etc/init.d/vz-gentoo
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Do call set_personality32() even when compiling for i386It appears some people are using 32-bit vzctl on an x86_64 kernel,
and it appears that it actually works. The only problem is since
set_personality32() is not used, 'uname -m' inside a container
reports x86_64, which screws up yum etc.
Fix it by always using set_personality32().
Originally reported by lj user ganagin (http://ganagin.livejournal.com/)
at http://ru-linux.livejournal.com/2880581...
configure.ac: for x86_64, set libdir to lib64If building for x86_64 and libdir is not explicitly set, set it to
end up in lib64 as it should be. This should result in usable vzctl
when doing manual compile/install.
Note that when we build rpms, we explicitly set --libdir when calling
configure, but if we try a manual build we might end up installing
libraries into wrong place.
Reported-by: Glauber Costa <glommer@openvz.org>
Signed-off-b...
configure.ac: check for $target_cpu not $build_cpuWhat we should care for is $target_cpu. It is not important in
the usual not cross-compiling case, but let's be perfect.
While at it, (re-)add a comment explaining why we need -m64. This
comment was initially introduced by commit 1eb3cfa and was later lost
in commit d69917c.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Improved capability setting codeThis patch should make set_cap() more error-prone and correct.
(1) Add defines for _LINUX_CAPABILITY_VERSION_* in case of old headers
during compilation
(2) Do not set version before doing getcap(). This helps to eliminate
the following kernel warning:
warning: `vzctl' uses 32-bit capabilities (legacy support in use)
(3) Check version returned by getcap(); fail with ENOSYS if we do...
vzctl start/stop: print error for non-applicable optionsparse_startstop_opt() is a bit tricky because it tries to parse both start
and stop options. Existing code properly rejects a bad option and returns
the proper error code, but it does that silently. That leads to e.g:
# vzctl start 101 --skip-umount --force
# echo $?
20
Fix it by providing an error message. Now it is:
# vzctl start 101 --skip-umount --force
Option --skip-umount is not a...
Move scripts and modules to /usr/libexecThe problem with $libdir/vzctl is $libdir is arch-dependent, it is
either /usr/lib or /usr/lib64. The stuff under it is NOT arch-dependant
so it doesn't make much sense.
Therefore, let's move it to /usr/libexec/vzctl and relax.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Rectify scripts dirWe were using VZLIBDIR and PKGCONFDIR/scripts in different places.
This patch simplifies it, now we have SCRIPTDIR defined in paths.am
and propagated to all needed places. This makes all this stuff less
confusing, more straightforward.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Rectify modules dir definitionInstead of defining it in a few places, let's define in paths.am and then
propagate to all needed places.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
configure.ac: provide description to AC_DEFINE definesThis would be needed for autoheader (which we don't currently use)
and does not make much difference otherwise.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
src/lib/Makefile.am: add DL_LIBSAdd DL_LIBS (ie -ldl) to src/lib, because dlopen() is called
from src/lib/image.c so vzctl library requires it.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
src/Makefile.am: fixed highly parallel buildmake -j99 fails because make sees no dependency between src and lib.
Fix by removing prefix from VZCTL_LIBS, it seems to help and not break anything.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Kir Kolyshkin
