summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2013-05-09nspawn: Include netlink headers rather than using #ifdefColin Walters
This is a better fix than e13e1fad8b231e187bd5de3ce668411bdcd3ac1a for failing to compile without audit that 77b6e19458f37cfde127ec6aa9494c0ac45ad890 introduced.
2013-05-09Fix previous commit for !HAVE_AUDITColin Walters
2013-05-10audit: since audit is apparently never going to be fixed for containers tell ↵Lennart Poettering
the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-07hostname: only suppress setting of pretty hostname if it is non-equal to the ↵Lennart Poettering
static hostname and if the static hostname is set, too https://bugzilla.redhat.com/show_bug.cgi?id=957814
2013-05-07build-sys: support builds without EAs againLennart Poettering
2013-05-06nspawn: explain that we look for /etc/os-release in the container directoryLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=64014
2013-05-02nspawn: inherit the exit status of containerDave Reisner
If we get as far as successfully starting the container, nspawn should inherit the exit status of the child container process as its own.
2013-05-01cgls: add --machine/-MZbigniew Jędrzejewski-Szmek
cg_get_machine_path is modified to include the escaped machine name + ".nspawn" if the machine argument is nonnull.
2013-04-30units: add an easy-to-use unit template file systemd-nspawn@.service for ↵Lennart Poettering
running containers as system services
2013-04-30id128: when taking user input for a 128bit ID, validate syntaxLennart Poettering
Also, always accept both our simple hexdump syntax and UUID syntax.
2013-04-29nspawn: add -M option to optstringEvangelos Foutras
This was missed in commit 7027ff61a34a12487712b382a061c654acc3a679 and means that the --machine option would work but not its shorthand, -M.
2013-04-22cgroup: make sure all our cgroup objects have a suffix and are properly escapedLennart Poettering
Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.
2013-04-22nspawn: suffix the nspawn cgroups with ".nspawn"Lennart Poettering
As discussed with Dan Berrange it's a good idea to suffix all objects in the cgroup tree with ".something", so that when the system is partitioned using a resource management tool we can drop objects of different types into the same partition directory without generate namespace conflicts. We'l add this to the Pax Control Group document as soon as write access to the fdo wiki is restored.
2013-04-22nspawn: always use cg_get_path() to determine fs path for a cgroupLennart Poettering
2013-04-21systemd,nspawn: use extended attributes to store metadataZbigniew Jędrzejewski-Szmek
All attributes are stored as text, since root_directory is already text, and it seems easier to have all of them in text format. Attributes are written in the trusted. namespace, because the kernel currently does not allow user. attributes on cgroups. This is a PITA, and CAP_SYS_ADMIN is required to *read* the attributes. Alas. A second pipe is opened for the child to signal the parent that the cgroup hierarchy has been set up.
2013-04-18nspawn: create empty /etc/resolv.conf if necessaryZbigniew Jędrzejewski-Szmek
nspawn will overmount resolv.conf if it exists. Since e.g. default install with yum doesn't create /etc/resolv.conf, a container created with yum will not have network. This seems undesirable, and since we overmount the file anyway, let's create it too. Also, mounting a read-write /etc/resolv.conf in the container is treated as a failure, since it makes it possible to modify hosts /etc/resolv.conf from inside the container.
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-16path-util: unify code for detecting OS treesLennart Poettering
This also makes sure we always detect an OS tree the same way, by checking for /etc/os-release.
2013-04-16nspawn: introduce the new /machine/ tree in the cgroup tree and move ↵Lennart Poettering
containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-05Use initalization instead of explicit zeroingZbigniew Jędrzejewski-Szmek
Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-04-03util: rename write_one_line_file() to write_string_file()Lennart Poettering
You can write much more than just one line with this call (and we frequently do), so let's correct the naming.
2013-03-31nspawn, machine-id-setup: warn if read-only mount call failsZbigniew Jędrzejewski-Szmek
They are not crucial, but they shouldn't fail.
2013-03-15nspawn: don't make assumptions about the size of pid_tLennart Poettering
2013-03-07nspawn: create a separate devpts namespace for nspawn containersLennart Poettering
2013-02-27nspawn: environment would be truncated with TERM unsetZbigniew Jędrzejewski-Szmek
2013-02-25nspawn: add --bind= and --bind-ro= to bind mount host paths into the containerLennart Poettering
2013-02-25Revert "nspawn: catch config mistake of specifying -b and args"Michal Schmidt
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true.
2013-02-24nspawn: catch config mistake of specifying -b and argsZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: fail if unable to close pipeZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: print PID and show how to enter the namespaceZbigniew Jędrzejewski-Szmek
systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux.
2013-02-14honor SELinux labels, when creating and writing config filesHarald Hoyer
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-01-26nspawn: assume stdout is always writable if it does not support epollMichal Schmidt
stdout can be redirected to a regular file. Regular files don't support epoll. nspawn failed with: "Failed to register fds in epoll: Operation not permitted". If stdout does not support epoll, assume it's always writable.
2013-01-18nspawn: add audit caps to default set to keepLennart Poettering
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
2013-01-11nspawn: add --versionZbigniew Jędrzejewski-Szmek
2012-12-22nspawn: try to orderly shutdown container when receiving SIGTERMLennart Poettering
2012-12-22nspawn: allow passing socket activation fds through nspawnLennart Poettering
2012-12-22nspawn: allow nspawn to be invoked without ttyLennart Poettering
This allows invoking nspawn containers as systemd services, to create a minimal, light-weight OS container solution for servers.
2012-11-22nspawn: reset supplementary and main group id before entering nspawnLennart Poettering
2012-10-02nspawn: use automatic cleanup and provide debug infoZbigniew Jędrzejewski-Szmek
The documentation for --link-journal is also reworded.
2012-09-24log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct()Lennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=55213
2012-09-21nspawn: document why we don't check resolv.conf mount errorsLennart Poettering
2012-09-21nspawn: we can't overmount /etc/localtime anymore since it's usually a ↵Lennart Poettering
symlink now Create the right symlink if possible for /etc/localtime
2012-09-16nspawn: fix memleak introduced with automatic cleanupZbigniew Jędrzejewski-Szmek
6b2d0e8 introduced a memleak instead of fixing one. Fix both.
2012-09-16nspawn: use automatic cleanup for umaskZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: _cleanup_free_ moreZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: use automatic cleanupZbigniew Jędrzejewski-Szmek
This one actually clears up a (totally harmless) memleak.
2012-09-16nspawn: mount tmpfs on /dev/shmZbigniew Jędrzejewski-Szmek
Most things seem to function fine without /dev/shm, but it is expected to be there (quoting linux/Documentation/filesystems/tmpfs.txt: glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX shared memory (shm_open, shm_unlink)). Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir /tmp/shm and chmod it. Mounting it separately has the advantage that it can be easily remounted to change the quota.
2012-09-05nspawn: handle poweroff/reboot nicely in containersLennart Poettering
2012-09-05nspawn: don't provide /dev/rtc0 in the containerLennart Poettering
Since RTCs are hardware devices and are very much shared resources we should avoid to provide them in each container.
2012-09-05nspawn: generate a new randomized boot ID for each containerLennart Poettering