summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2013-11-05nspawn: log out of memory errorsDjalal Harouni
2013-10-31machinectl: add new command to spawn a getty inside a containerLennart Poettering
2013-10-31nspawn: split out pty forwaring logic into ptyfwd.cLennart Poettering
2013-10-30nspawn: only pass in slice setting if it is setLennart Poettering
2013-10-16timedated: use libsystemd-bus instead of libdbus for bus communicationLennart Poettering
Among other things this also adds a few things necessary for the change: - Considerably more powerful error returning APIs in libsystemd-bus - Adapter for connecting an sd_bus to an sd_event - As I reworked the PolicyKit logic to the new library I also made it asynchronous, so that PolicyKit requests of one user cannot block out another user anymore. - We always use the macro names for common bus error. That way it is harder to mistype them since the compiler will notice
2013-10-13Introduce _cleanup_fdset_free_Zbigniew Jędrzejewski-Szmek
2013-10-02nspawn: always copy /etc/resolv.conf rather than bind mountLennart Poettering
We were already creating the file if it was missing, and this way containers can reconfigure the file without running into problems. This also makes resolv.conf handling more alike to handling of /etc/localtime, which is also not a bind mount.
2013-09-19fix grammatical errorDave Reisner
2013-09-19nspawn: be less liberal about creating bind mount destinationsDave Reisner
Previously, if a file's bind mount destination didn't exist, nspawn would blindly create a directory, and the subsequent bind mount would fail. Examine the filetype of the source and ensure that, if the destination does not exist, that it is created appropriately. Also go one step further and ensure that the filetypes of the source and destination match.
2013-08-23nspawn: trivial simplificationZbigniew Jędrzejewski-Szmek
2013-07-19nspawn: Reorder includes to fix compilationJesper Larsen
Commit 2e996f4d4b642c5682c608c9692ad2ffae398ab2 added an include of linux/netlink.h This kernel header is not self contained in the linux 2.6 kernel which breaks compilation with an unknown type sa_family_t A workaround is to include linux/netlink.h after sys/socket.h
2013-07-02nspawn: use the corect method signature for CreateMachine()Lennart Poettering
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
2013-06-20nspawn: '-C' option has been removedZbigniew Jędrzejewski-Szmek
Fixup for 9444b1f "logind: add infrastructure to keep track of machines, and move to slices."
2013-06-20logind: add infrastructure to keep track of machines, and move to slicesLennart Poettering
- This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-05-10nspawn: only warn about audit when booting the containerDave Reisner
The audit subsystem isn't relevant when nspawn is only being used as a chroot.
2013-05-09nspawn: Include netlink headers rather than using #ifdefColin Walters
This is a better fix than e13e1fad8b231e187bd5de3ce668411bdcd3ac1a for failing to compile without audit that 77b6e19458f37cfde127ec6aa9494c0ac45ad890 introduced.
2013-05-09Fix previous commit for !HAVE_AUDITColin Walters
2013-05-10audit: since audit is apparently never going to be fixed for containers tell ↵Lennart Poettering
the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-07hostname: only suppress setting of pretty hostname if it is non-equal to the ↵Lennart Poettering
static hostname and if the static hostname is set, too https://bugzilla.redhat.com/show_bug.cgi?id=957814
2013-05-07build-sys: support builds without EAs againLennart Poettering
2013-05-06nspawn: explain that we look for /etc/os-release in the container directoryLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=64014
2013-05-02nspawn: inherit the exit status of containerDave Reisner
If we get as far as successfully starting the container, nspawn should inherit the exit status of the child container process as its own.
2013-05-01cgls: add --machine/-MZbigniew Jędrzejewski-Szmek
cg_get_machine_path is modified to include the escaped machine name + ".nspawn" if the machine argument is nonnull.
2013-04-30units: add an easy-to-use unit template file systemd-nspawn@.service for ↵Lennart Poettering
running containers as system services
2013-04-30id128: when taking user input for a 128bit ID, validate syntaxLennart Poettering
Also, always accept both our simple hexdump syntax and UUID syntax.
2013-04-29nspawn: add -M option to optstringEvangelos Foutras
This was missed in commit 7027ff61a34a12487712b382a061c654acc3a679 and means that the --machine option would work but not its shorthand, -M.
2013-04-22cgroup: make sure all our cgroup objects have a suffix and are properly escapedLennart Poettering
Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.
2013-04-22nspawn: suffix the nspawn cgroups with ".nspawn"Lennart Poettering
As discussed with Dan Berrange it's a good idea to suffix all objects in the cgroup tree with ".something", so that when the system is partitioned using a resource management tool we can drop objects of different types into the same partition directory without generate namespace conflicts. We'l add this to the Pax Control Group document as soon as write access to the fdo wiki is restored.
2013-04-22nspawn: always use cg_get_path() to determine fs path for a cgroupLennart Poettering
2013-04-21systemd,nspawn: use extended attributes to store metadataZbigniew Jędrzejewski-Szmek
All attributes are stored as text, since root_directory is already text, and it seems easier to have all of them in text format. Attributes are written in the trusted. namespace, because the kernel currently does not allow user. attributes on cgroups. This is a PITA, and CAP_SYS_ADMIN is required to *read* the attributes. Alas. A second pipe is opened for the child to signal the parent that the cgroup hierarchy has been set up.
2013-04-18nspawn: create empty /etc/resolv.conf if necessaryZbigniew Jędrzejewski-Szmek
nspawn will overmount resolv.conf if it exists. Since e.g. default install with yum doesn't create /etc/resolv.conf, a container created with yum will not have network. This seems undesirable, and since we overmount the file anyway, let's create it too. Also, mounting a read-write /etc/resolv.conf in the container is treated as a failure, since it makes it possible to modify hosts /etc/resolv.conf from inside the container.
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-16path-util: unify code for detecting OS treesLennart Poettering
This also makes sure we always detect an OS tree the same way, by checking for /etc/os-release.
2013-04-16nspawn: introduce the new /machine/ tree in the cgroup tree and move ↵Lennart Poettering
containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-05Use initalization instead of explicit zeroingZbigniew Jędrzejewski-Szmek
Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-04-03util: rename write_one_line_file() to write_string_file()Lennart Poettering
You can write much more than just one line with this call (and we frequently do), so let's correct the naming.
2013-03-31nspawn, machine-id-setup: warn if read-only mount call failsZbigniew Jędrzejewski-Szmek
They are not crucial, but they shouldn't fail.
2013-03-15nspawn: don't make assumptions about the size of pid_tLennart Poettering
2013-03-07nspawn: create a separate devpts namespace for nspawn containersLennart Poettering
2013-02-27nspawn: environment would be truncated with TERM unsetZbigniew Jędrzejewski-Szmek
2013-02-25nspawn: add --bind= and --bind-ro= to bind mount host paths into the containerLennart Poettering
2013-02-25Revert "nspawn: catch config mistake of specifying -b and args"Michal Schmidt
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true.
2013-02-24nspawn: catch config mistake of specifying -b and argsZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: fail if unable to close pipeZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: print PID and show how to enter the namespaceZbigniew Jędrzejewski-Szmek
systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux.
2013-02-14honor SELinux labels, when creating and writing config filesHarald Hoyer
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-01-26nspawn: assume stdout is always writable if it does not support epollMichal Schmidt
stdout can be redirected to a regular file. Regular files don't support epoll. nspawn failed with: "Failed to register fds in epoll: Operation not permitted". If stdout does not support epoll, assume it's always writable.
2013-01-18nspawn: add audit caps to default set to keepLennart Poettering
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
2013-01-11nspawn: add --versionZbigniew Jędrzejewski-Szmek