ct_env_create_real(): don't use O_CLOEXECReplace O_CLOEXEC flag to open with a separate fcntl(FD_CLOEXEC)
call, since otherwise we can't be compiled on older distros:
hooks_ct.c: In function 'ct_env_create_real':
hooks_ct.c:427: error: 'O_CLOEXEC' undeclared (first use in this
function)
hooks_ct.c:427: error: (Each undeclared identifier is reported only once
hooks_ct.c:427: error: for each function it appears in.)
Signed-off-by: Kir...
check_local_ugid(): fix potential NULL dereferenceIndeed, we check uid || gid for non-NULL in if condition,
but then dereference them both. Fix by using ?: operator.
Reported by Coverity, CID 1025651.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
ct_env_create_real(): don't use uninitialized varIn fact we do write() just to tell the other side it can proceed,
so it's not important if what we write is initialized or not.
But just to make Coverity happy, let's write 0.
Also, while at it, declare the variable closer to its use, and rename it
to something more neutral, since we don't mean any 'err' here.
Reported by Coverity, CID 1025649
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
_env_create(): don't pass -1 to closearg->userns_p can be -1, so check it before passing to close()
Reported by Coverity, CID 1025650.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Do not fail when private area does not exist[kir@openvz.org: formatting/whitespace nitpicks]
Signed-off-by: Simon Boulet <simon@nostalgeek.com>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Fix "premount/postumount script failed" errorsThis is a fix to commit eeceb72
Mentioned in a patch in https://bugzilla.openvz.org/2529
Reported-by: Simon Boulet <simon@nostalgeek.com>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Fix checking vps_is_mounted() return valuevps_is_mounted() does not return boolean value, as it can return -1 in
case of an error. Therefore, we should not treat it as such.
Document vps_is_mounted() return values, and replace all places
using this function as follows:
if (vps_is_mounted()) -> if (vps_is_mounted() == 1)
if (!vps_is_mounted()) -> if (vps_is_mounted() == 0)
We still don't do any error processing, but it is already ...
ct_restore(): pass SKIP_ACTION_SCRIPT to vps_create_customThis is the same fix as commit 40ea0d5, but for restoring
upstream containers through criu.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
scripts/vps-{cpt,rst}: nitpicksFix copyright years, trailing whitespace, tabs vs spaces,
and English in some comments and error messages.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl: checkpoint/restoer of upstream CTsIt can be done by any third party tools.
sripts/ct-cpt and script/ct_rst are executed to dump and restore CT
This patch adds scripts for CRIU.
v2: add the GPL header and descriptions in scripts
describe and check variables in scripts
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Change path to CT init pid directoryPrevious commit introduced a directory to store CT init pid needed for
CRIU to checkpoint mainstream containers. The path used was /vz/state
and it's not really a good choice.
Let's use /var/lib/vzctl/vepid instead (similar to
/var/lib/vzctl/veip and /var/lib/vzctl/vzreboot).
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
vzctl: split ct_env_create (v2)ct_env_create will able to execute CT and to resume CT
v2: A return code contains one of known codes with inverted sign.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
cgroups: fix set command with beancounters upstreamThe kernel memory controller cannot flip states from unlimited to limited if
there are already tasks in it. Therefore, we always have to run with *some*
value of kmem enabled. If we don't do it, we can't start unlimited and then use
the set command to set any beancounters. We write the maximum amount minus two
pages, which should effectively mean "accounting turned on, but unlimited"
Signed-o...
prestart.sh: fix check for fedora/redhat/centosIn fixup_udev(), we need to detect rhel or centos.
Both RHEL, CentOS and Fedora have /etc/redhat-release, in addition
Fedora has /etc/fedora-release and CentOS 6 has /etc/centos-release
(while Centos 4 and 5 don't).
So we have to check that
- fedora-release is NOT present
and
- redhat-release is present
We do it in two steps.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
prestart: fixup legacy udev effectsLegacy udev will do a couple of operations that will destroy all the setup we
have done for /dev. This is because, unaware that it is that it is being
containerized, it will mount a tmpfs on /dev, and then setup it all again.
Since preemptively preventing those actions to happen is very hard ( as an
example, centos6 init binary will issue mount syscalls itself), the most robust
approach is to i...
vzctl restore: don't run action scriptsI am positively unsure why this bug went unnoticed for so many years.
We should not run $VEID.start action script when we are doing restore
rather than start.
It's pretty harmless, aside from the fact that apparently
vps_exec_script() closes all fds so later kernel checkpointing
complains like this:
# vzctl restore 201
Restoring container ...
Starting container ...
Container is mounted
...
vzctl start: add pre-start dist scriptWe will need that infrastucture when running with Linux upstream, since some
support is very unlikely to ever land in the Kernel. This will be done by
running a vps script that will be run shortly before we call exec() on
/sbin/init.
To demonstrate what such script should do, this patch uses the script to
override the loginuid PAM module. This is called only for the distributions in
which I ha...
hooks_ct: create devices inside containerOur devices were being created from the parent of container's init, because we
need to be still outside container context to do it. However, this creates
quite an annoyance, because those bind mounts will show up in the host
/proc/mounts.
Turns out, we don't really need to do it from the root side. We can do it from
the container side provided we do it before we chroot - and then the host side...
automatically add bridge venet0 when neededThe chosen architecture to deal with --ipadd with upstream containers is to
create a veth pair and add the host side information to a bridge called venet0.
This way, all the code that expects venet0 to exist can still work without
modifications, (or with just a few).
Our intention to do that was actually already stated in the comments, but the
code was removed before merging because --ipadd wo...
modify tar extraction to account for user namespaceIf we are running upstream with user namespaces, we need to create the
container filesystem not with the ownership preserved, but reflecting the
mapping we need to apply. Note that according to our documentation, we should
ignore this if the user explicitly requested an uid mapping of 0 (gid is
ignored in this case).
Our tooling doesn't allow any easy way to unpack a whol distribution with
off...
allow local uid and gid to be specified at container creationIt is a valid use case to run a container with host uid and gid different than
the default. In particular, already deployed versions of vzctl are expected to
have this value unset, effectively meaning they are not expecting user
namespaces to be present. We also deem as a valid use case to run a fully
privileged container, in which case we will explicitly disable user namespaces.
This patch pr...
src/lib/env.c: introduce and use check_local_ugid()Move the user mismatch test from vps_start_custom() to a separate
function check_local_ugid(). Use shorter variable names.
While at it, check return from stat() and error out if it fails.
It's cleaner and more readable that way.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
add user mismatch testIn theory, we won't be able to run if our private area is not owned by
ourselves. We could, if it have very wide open security permissions, but we
should never set up a container like that.
Aside from a basic sanity check, this is intended to catch problems for the few
people who may have already created containers that will be owned by root:root,
and will now try to run it unprivileged.
Sig...
src/lib/hooks_ct.c:_env_create(): close fd earlierClose userns_p as soon as we don't need it, i.e. right after reading
from it.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
user namespace support for upstream containersThis patch allows the execution of unprivileged containers running ontop
of an upstream Linux Kernel. We will run at whatever UID is found in the
configuration file (so far empty, thus disabled).
Signed-off-by: Glauber Costa <glommer@parallels.com>
pass parameters to openUpstream containers running on kernels that support user namespaces would
benefit from being able to have early access to the container configuration.
This is because we would like user namespaces support to be either enabled or
disabled, and a lot of the actions we take can be potentially affected by this
configuration switch.
We do that by bundling it into vz_open, where we traditionally are...
adjust fs_create parameterWe need to pass more information to fs_create. Instead of adding arguments, it
is preferred to pass the whole vps_p structure and unfold it inside the callee.
Signed-off-by: Glauber Costa <glommer@parallels.com>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
host uid and gid parametersWhen running with an upstream Linux kernel that supports user namespaces,
we will run the container using an unprivileged user in the system. That
can be any user, and it serves as base to a 1:1 mapping between users in
the container and users in the host.
By default, the value 100000 will be used for both uid and gid.
Signed-off-by: Glauber Costa <glommer@parallels.com>
Signed-off-by: Kir Ko...
vzctl.spec: require vzstatsBeta testing of vzstats (http://stats.openvz.org) showed good results
and mostly positive feedback, so let's try to roll it out on a global
scale.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
etc/init.d/vz*: try to run vzstatsRun vzstats if it is available to report new kernel.
For more info about vzstats, check http://stats.openvz.org/
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Remove more traces of noatime flagAs per commit 127ad44, --noatime is no longer supported.
This patch:
1. removes the last trace of it from bash_completion script
2. removes the last mention of it from ctid.conf(5) man page
3. removes parsing (ignoring) of --noatime from cmdline
4. removes ignoring of NOATIME from config file
Ignoring --noatime from cmdline was deliberately left there in order
to maintain backward compatibil...
Kir Kolyshkin
