It will become a visible warning if LAYERSERIES_COMPAT is not set, so
we add it to our layers, and set it to rocko. Once sumo releases and
branched, we'll change the value.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The latest version of systemd expects that a container will have the
variable container_uuid controlled by the container manager. If an
end user does not set the container_uuid with c3 cfg set -n CONTAINER
cube.env:container_uuid the c3 add command will have done it for them.
Failure to set the container_uuid in a network prime container results
in programs like the Network Manager using a new client ID for each
reboot, which in turn causes you to get a new IP address on each
reboot.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
With the latest docker/runc uprev, we can use the opencontainers
containerd without issue.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When using dhclient in a hook function a runc monitor process waits to
execute the hooks and clean up. As a part of the clean up when this
function exits any dhclient processes should also die so that all the
network name spaces are released immediately.
This patch adds the --psig to send a SIGKILL when the parent process
terminates.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The dhclient process needs to exit immediately without a lease,
release if the parent process exits, in order to release the network
name space and any associated devices.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
In the merge of the oci and cube network handlers, the accounting
of pids in a network namespace as dropped. This means that on
shutdown we aren't killing all processes that might hold a namespace
open.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Patches are still needed as confirmed by the fact that anything beyond
dom0 would not correctly start.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
commit ca060b4624 (overc-conf: drop
oci-network, since cube-network is now universal) accidentally dropped
two patches that were used in the oci-network. The older patches
cleanly apply so long as the veth-br-int is changed to ${veth_name}.
The MAC address is changing after dhclient is running which causes a
problem where you lose IP connectivity after a while when the lease
renews. It also poses a problem where you cannot get a lease in a
timely manner because the local lease db was being shared across
containers, so for the first container everything was fine, but each
additional container could incur a delay.
--- Restore commit ca060b4624 ---
oci-network: Use a private lease file for each container for dhclient
The dhclient state file cannot be shared if the interface name is the
same in a container. It will cause the wrong IP address to be passed
for a renew request.
--- Restore commit feb6b8ef13 ---
oci-network: Move MAC assignment before dhclient and use a hash function
The MAC assignment needs to come before the dhclient request else the
network address changes later on when it renews the lease.
For speed and consistent operations the MAC address should be the same
across container restarts so we can use a hash function to generate
the mac address.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
This change is dependent on the change to overc-installer for the
subvol create support.
There are two separate optimizations:
1) In the case that tracking is enabled (which should be the default)
- A btrfs subvol is created instead of copying and moving things
around with snapshots later on.
- This allows the erase operation to just be a simple delete volume
instead of removing all the files with rm -rf
2) When using a container registry use a move operation instead of
cp -a so there is no point where we need two copies of everything
in the container's rootfs, just to turn around and delete one
of the copies before completing the c3 add.
The speed improvement for a 250 MB container with 21,000 files was
going from 61 seconds to 26 seconds. In each case 12 of seconds spent
are just for the download from the container registry.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The cube-essential is used for the installer and requires parted to
exist both to query the partition table and manage teh partitions.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Add a setting that indicates a container should get full capabilities
as defined by the --privileged option to the oci-runtime-tool
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When enabling a container to communicate with the cube-cmd-server, the
container could very well be a system, multi-user container. In that
scenario, we want our auth.db to be per-user, not global.
This commit tweaks cube-cmd to check in ~/.overc first, and then check
for a global auth.db
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
To finish the enablement of cross-X in containers, we need two more
features:
- The ability to link data directories from host -> container
- The ability to xauthenticate a container
This commit combines the two features as a unit, to allow the following
scenario to work:
% c3 add docker://jbonds/xterm
% c3 stop cube-desktop
% c3-cfg -v link localhost:.XIM-unix cube-desktop:/tmp/.XIM-unix
% c3-cfg -v link localhost:.Test-unix cube-desktop:/tmp/.Test-unix
% c3-cfg -v link localhost:.ICE-unix cube-desktop:/tmp/.ICE-unix
% c3-cfg -v link localhost:.font-unix cube-desktop:/tmp/.font-unix
% c3-cfg -v link localhost:.X11-unix cube-desktop:/tmp/.X11-unix
% c3-cfg -v link localhost:.XIM-unix xterm:/tmp/.XIM-unix
% c3-cfg -v link localhost:.Test-unix xterm:/tmp/.Test-unix
% c3-cfg -v link localhost:.ICE-unix xterm:/tmp/.ICE-unix
% c3-cfg -v link localhost:.font-unix xterm:/tmp/.font-unix
% c3-cfg -v link localhost:.X11-unix xterm:/tmp/.X11-unix
% c3-cfg -n xterm set cube.env:DISPLAY=:0
% c3-cfg gen cube-desktop
% c3-cfg gen xterm
% c3 start cube-desktop
# <log into X session as appropriate>
% c3-cfg auth X:cube-desktop:xterm
% c3 start xterm
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
While we should rely on an image to ignore interfaces that are created
and managed by cube-network .. it is not always a possible for those
images/containers to know the name of the interface.
While creating a network device pair, we do know the interface and we
can detect NetworkManager in a container, and tell it to ignore our
newly created interface.
We could also do this for passthrough devices, but that is something
that a user may want to manage with NetworkManager, so we leave it
alone for now.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When linking the ports of containers, we should explicitly pass the
output directory to the cube-cfg calls. We do this, since if running
in a chroot'd or mount'd scenario determine_outdir won't be able to
locate and automatically set the proper directory.
We also improve determine_outdir to always set a full path (versus
allowing ./), since we can use that full path to determine where
we are, and how to manipulate it for sub calls.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When oci-network and cube-network consolidated, the wildcard support from
oci-network was dropped.
This restores the wildcard support AND improves it to work when the network
is disabled.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The new libc headers error as follows:
| Makefile:4659: recipe for target 'src/libostree/libostree_1_la-ostree-repo-checkout.lo' failed
| make[2]: *** [src/libostree/libostree_1_la-ostree-repo-checkout.lo] Error 1
| In file included from ./libglnx/glnx-missing.h:95:0,
| from ./libglnx/libglnx.h:28,
| from src/libostree/ostree-repo-traverse.c:24:
| ./libglnx/glnx-missing-syscall.h:142:23: error: static declaration of 'copy_file_range' follows non-static declaration
| static inline ssize_t copy_file_range(int fd_in, loff_t *off_in,
| ^~~~~~~~~~~~~~~
This is fixed upstream in the latest release version of ostree.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
cube-cfg already had the ability to link the TCP/UDP ports of any
two containers. But is also a common need to share data stores between
containers.
This commit introduces a basic plumbing command to implement this
type of sharing. When a non-numeric link source/dest is detected, a
data link is triggered.
A data link can be a file, or a directory.
The steps to making the link work are:
- The source container's directory structure is checked, and the
source directory validated
- If valid, a new export store is created in /opt/container/data/<container a>
- The source directory is symlinked into that new data store
- The destination container has a bind mount configured, and its configuration
regenerated.
This is a plumbing command, and does very little error checking
Example:
root@cube-dom0:~# c3-cfg -v link cadvisor:/etc debian:/tmp/blah
[INFO]: linking cadvisor:/etc to debian:/tmp/blah
root@cube-dom0:~# c3 start debian
root@cube-dom0:~# c3 -i debian:/bin/bash
root@debian:/# cat /tmp/blah/alpine-release
3.4.6
root@cube-dom0:~# c3 stop debian
root@cube-dom0:~# c3-cfg -v link -cadvisor:/etc debian:/tmp/blah
[INFO]: unlinking cadvisor:/etc from debian:/tmp/blah
[INFO]: rm -rf /opt/container/data/cadvisor///etc
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When a container is running, but has no IP, error messages were
seen during a c3-list.
We capture stderr, check for issues, and act appropriately. This
avoid the using seeing any errors, and instead they get '---' if
the container has no IP.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Some of the steps of the regen phase were not being run in the
container directory. This breaks regeneration in some scenarios.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The c3 construct script was not properly segmenting stderr and stdout,
so we fix the redirects.
It also could be very silent, so we automatically tee the output to the
screen, while also doing the redirects for forensics.
We also improve -v to do a 'set -x' so each command can be seen as it
is invoked.
And finally, we add -w so that a failure from a phase of the script
will not abort all processing.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
To avoid guessing the veth name, we can read the veth name from the
container state directory.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
There was a known bug included in linux-libc-headers 4.15 that was
reported and fixed in mainline. See
https://github.com/torvalds/linux/commit/da360299b673
The original breakage is part of the linux-libc-headers 4.15 which
causes ebtables to fail to build, with multiple redefinitions as
described in the fix commit.
The fix has been recommended for promotion to 4.15.y stable so we
should get a proper fix on the next linux-libc-headers uprev, but for
the time being we include a copy of the header with the offending
'include' removed to allow ebtables to build successfully.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
There have been some changes to c3-ctl which were yet to be reflected
in the bash completions or the documentation. Follow through with
these changes to keep things current.
* Add foreground, interactive and attach options to start
* Add rename/mv command
* Remove --peer and --nested options no longer available to start
* Remove restart command from documentation
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Change the netprime switching procedure to be truly dynamic and require
no reboot. This works with both OCI and cube style containers.
This allows devices, static IPs, etc, to be brought down, changed and
brought back up without the need to reboot.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
The two hook commands are very similar, and with some additional checks
we can unify both hooks into a single, universal network handler.
This allows us consistent setup and teardown, which is dynamically used
by the netprime switch code.
Hooks calls are unchanged, but we add extra tests and lookups to allow
direct invokation from the shell.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
When waiting for a long c3-construct, the user may wonder if things are
really working. So in addition to logging errors/output, we also tee them
both to the screen.
Also, we make a new variable PRIV_PATH available to scripts, so that they
can chose to pass the full path to some other commands (no path is the
default).
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
If the attributes file gets a trailing line return, we'll have the
attributes displayed incorrectly. So after each operation, we can
delete any newlines we find.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
cube-network can handle all types of containers, so we no longer need
parallel code in oci-network.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
To allow the netconfig script to be more easily invoked from outside
of a hook scenario, we can use the stored .cube.pid if it is available.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
We are now using the netprime configuration flag as a firstboot flag,
so we should just rename the variable appropriately.
We also restore the restart of systemd-networkd, otherwise br-int will
not have a valid IP on the first boot.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
In case the binary we are grafting to essential is a symlink, we
should make sure that we follow that symlink and copy the true binary
to essential.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Some of the command that trigger the failure of a construct operation
may not always use stderr. As such, we should dump both our "good"
and "bad" output captures on failure.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
We need to define several additional tools needed to allow 'c3-ctl
add' to be performed inside the c3-construct sandbox.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Attempting to do a 'c3-ctl netprime' in a c3-construct file will
yield:
[ERROR]: processing of file /tmp/tmp.d5nNX4qOKg failed
/usr/sbin/cube-cfg: line 955: rm: command not found
/usr/sbin/cube-cfg: line 1014: tr: command not found
Add these to the available commands in c3.cmd so that 'c3-ctl
netprime' is available.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
For the most part, we want to enable ptrace and control both
ambient and inheritable capabilities.
This may not be the case for some app container, but for now, we
control them via a flag ... but enable them all the time. We will
tweak things in the future when the use cases arrive.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Many nested container situations require sys_ptrace to be available, so
we enable it by default.
This could eventually become conditional, but for now, it is the default.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
To ensure that we have valid IPs for a network stack, we should
exec it after the wait barrier.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
If a command was both #define'd (for a symlink) and had an
override, then the command wouldn't work since the "real command"
wasn't know and the wrapper not called properly.
We fixup our processing to allow both to be valid in the same
construct run.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
meta-cube* uses the packaging done in the qemu bbappend, so it really
needs to be in that same layer.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Attempting to delete a container named 'deb' while a container named
'debian' is running will result in
[INFO] container deb is running, it must be stopped before deleting
When comparing the container name to the list of running containers we
are matching when the container name is a substring of another
container in the list. We could make use of bash string matching to
avoid this but so far we have avoid using bash only constructs. So we
opt to use the same technique used elsewhere already in the script.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
inetutils only provides whois and talk by default, we don't use
these packages, so no need to have this in our package list.
inetutils also pulls in xinetd, which we don't use, so we get
disk AND a service running .. again, another reason to drop this
from our default package list.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
For some container image the import -> add phase can change the
umask of some directories (you can see this on docker imports).
One directory that should be 777 in the backing store is /tmp, so
we add a safety routine to make sure that is the case.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
To save ~2 seconds on each dom0 startup, we can have the firmware sync
routine check for a 'done' flag. If found, do nothing.
When we install new firmware, we can clear the flag and the sync will
re-run on the next boot (or sooner if you manually call it).
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
