* [ptxdist] [PATCH v3] lxc: add new package
@ 2018-08-30 7:35 Michael Grzeschik
2018-08-30 14:10 ` Michael Olbrich
0 siblings, 1 reply; 3+ messages in thread
From: Michael Grzeschik @ 2018-08-30 7:35 UTC (permalink / raw)
To: ptxdist
This patch adds support for the lxc container system. We install the
userspace lib and application.
To make sure all necessary kernel options are enabled use:
$ CONFIG=/path/to/kernelconfig lxc-checkconfig
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
---
v1 -> v2: - prefixed used variables with PTXCONF_ :
LXC_TEMPLATES, LXC_HOOKS, LXC_SELINUX
- fixed used variable LXC_SYSTEMD_UNIT
- added missing dir /usr/lib/lxc/rootfs
- added dependency to busybox tools when using templates
- added dependency to iptables when starting systemd.service
- removed some extra commented unused options
- removed hooks
- only installing busybox template
- added dependency to busybox_umount
v2 -> v3: - removed the busybox template and its dependencies
- added patch for dnsmasq to start without dns support
- added install stage to include getent from toolchain
...te-new-lxcbr0-subnet-at-startup-time.patch | 134 +++++++++++
...-net-start-dnsmasq-without-dnsserver.patch | 24 ++
patches/lxc-3.0.1/series | 2 +
projectroot/etc/default/lxc-net | 7 +
projectroot/etc/lxc/default.conf | 4 +
rules/lxc.in | 61 +++++
rules/lxc.make | 211 ++++++++++++++++++
7 files changed, 443 insertions(+)
create mode 100644 patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch
create mode 100644 patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch
create mode 100644 patches/lxc-3.0.1/series
create mode 100644 projectroot/etc/default/lxc-net
create mode 100644 projectroot/etc/lxc/default.conf
create mode 100644 rules/lxc.in
create mode 100644 rules/lxc.make
diff --git a/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch
new file mode 100644
index 000000000..a1fddbea4
--- /dev/null
+++ b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch
@@ -0,0 +1,134 @@
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Tue, 3 Nov 2015 11:42:58 -0500
+Subject: [PATCH] Allocate new lxcbr0 subnet at startup time
+
+---
+ config/init/common/lxc-net.in | 100 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 91 insertions(+), 9 deletions(-)
+
+diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
+index df9f1181d761..6837be1969c2 100644
+--- a/config/init/common/lxc-net.in
++++ b/config/init/common/lxc-net.in
+@@ -24,6 +24,85 @@ LXC_IPV6_MASK=""
+ LXC_IPV6_NETWORK=""
+ LXC_IPV6_NAT="false"
+
++write_lxc_net()
++{
++ local i=$1
++ cat >> $distrosysconfdir/lxc-net << EOF
++# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
++# containers. Set to "false" if you'll use virbr0 or another existing
++# bridge, or mavlan to your host's NIC.
++USE_LXC_BRIDGE="true"
++
++# If you change the LXC_BRIDGE to something other than lxcbr0, then
++# you will also need to update your /etc/lxc/default.conf as well as the
++# configuration (/var/lib/lxc/<container>/config) for any containers
++# already created using the default config to reflect the new bridge
++# name.
++# If you have the dnsmasq daemon installed, you'll also have to update
++# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
++LXC_BRIDGE="lxcbr0"
++LXC_ADDR="10.0.$i.1"
++LXC_NETMASK="255.255.255.0"
++LXC_NETWORK="10.0.$i.0/24"
++LXC_DHCP_RANGE="10.0.$i.2,10.0.$i.254"
++LXC_DHCP_MAX="253"
++# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
++# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
++# container 'mail1' always get ip address 10.0.3.100.
++#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf
++
++# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
++# domain. You can then add "server=/lxc/10.0.$i.1' (or your actual \$LXC_ADDR)
++# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
++# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).
++# Once these changes are made, restart the lxc-net and network-manager services.
++# 'container1.lxc' will then resolve on your host.
++#LXC_DOMAIN="lxc"
++EOF
++}
++
++configure_lxcbr0()
++{
++ local i=3
++ cat > $distrosysconfdir/lxc-net << EOF
++# This file is auto-generated by lxc.postinst if it does not
++# exist. Customizations will not be overridden.
++EOF
++ # if lxcbr0 exists, keep using the same network
++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then
++ i=`ip addr show lxcbr0 | grep "inet\>" | awk '{ print $2 }' | awk -F. '{ print $3 }'`
++ write_lxc_net $i
++ return
++ fi
++ # if no lxcbr0, find an open 10.0.a.0 network
++ for l in `ip addr show | grep "inet\>" |awk '{ print $2 }' | grep '^10\.0\.' | sort -n`; do
++ j=`echo $l | awk -F. '{ print $3 }'`
++ if [ $j -gt $i ]; then
++ write_lxc_net $i
++ return
++ fi
++ i=$((j+1))
++ done
++ if [ $i -ne 254 ]; then
++ write_lxc_net $i
++ fi
++}
++
++update_lxcnet_config()
++{
++ local i=3
++ # if lxcbr0 exists, keep using the same network
++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then
++ return
++ fi
++ # our LXC_NET conflicts with an existing interface. Probably first
++ # run after system install with package pre-install. Find a new subnet
++ configure_lxcbr0
++
++ # and re-load the newly created config
++ [ ! -f $distrosysconfdir/lxc-net ] || . $distrosysconfdir/lxc-net
++}
++
+ [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
+
+ use_iptables_lock="-w"
+@@ -51,7 +130,19 @@ _ifup() {
+ ip link set dev ${LXC_BRIDGE} up
+ }
+
++cleanup() {
++ set +e
++ if [ "$FAILED" = "1" ]; then
++ echo "Failed to setup lxc-net." >&2
++ stop force
++ exit 1
++ fi
++}
++
+ start() {
++
++ [ ! -f $distrosysconfdir/lxc-net ] && update_lxcnet_config
++
+ [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
+
+ [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; }
+@@ -62,15 +153,6 @@ start() {
+
+ FAILED=1
+
+- cleanup() {
+- set +e
+- if [ "$FAILED" = "1" ]; then
+- echo "Failed to setup lxc-net." >&2
+- stop force
+- exit 1
+- fi
+- }
+-
+ trap cleanup EXIT HUP INT TERM
+ set -e
+
diff --git a/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch
new file mode 100644
index 000000000..a8cbf3fe2
--- /dev/null
+++ b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch
@@ -0,0 +1,24 @@
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Date: Wed, 29 Aug 2018 16:50:50 +0200
+Subject: [PATCH] lxc-net: start dnsmasq without dnsserver
+
+So it does not conflict with the systems dnsmasq systemd-service.
+
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+---
+ config/init/common/lxc-net.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
+index 6837be1969c2..84128d59486b 100644
+--- a/config/init/common/lxc-net.in
++++ b/config/init/common/lxc-net.in
+@@ -221,7 +221,7 @@ start() {
+ --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
+ --except-interface=lo --interface=${LXC_BRIDGE} \
+ --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \
+- --dhcp-authoritative $LXC_IPV6_ARG || cleanup
++ --dhcp-authoritative $LXC_IPV6_ARG --port=0 || cleanup
+
+ touch "${varrun}"/network_up
+ FAILED=0
diff --git a/patches/lxc-3.0.1/series b/patches/lxc-3.0.1/series
new file mode 100644
index 000000000..eec508771
--- /dev/null
+++ b/patches/lxc-3.0.1/series
@@ -0,0 +1,2 @@
+0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch
+0002-lxc-net-start-dnsmasq-without-dnsserver.patch
diff --git a/projectroot/etc/default/lxc-net b/projectroot/etc/default/lxc-net
new file mode 100644
index 000000000..054a09a0a
--- /dev/null
+++ b/projectroot/etc/default/lxc-net
@@ -0,0 +1,7 @@
+USE_LXC_BRIDGE="true"
+LXC_BRIDGE="lxcbr0"
+LXC_ADDR="192.168.1.1"
+LXC_NETMASK="255.255.255.0"
+LXC_NETWORK="192.168.1.0/24"
+LXC_DHCP_RANGE="192.168.1.2,192.168.1.254"
+LXC_DHCP_MAX="253"
diff --git a/projectroot/etc/lxc/default.conf b/projectroot/etc/lxc/default.conf
new file mode 100644
index 000000000..e7af1e6ae
--- /dev/null
+++ b/projectroot/etc/lxc/default.conf
@@ -0,0 +1,4 @@
+lxc.net.0.type = veth
+lxc.net.0.link = lxcbr0
+lxc.net.0.flags = up
+lxc.net.0.hwaddr = 00:16:3e:11:22:34
diff --git a/rules/lxc.in b/rules/lxc.in
new file mode 100644
index 000000000..fde637b0d
--- /dev/null
+++ b/rules/lxc.in
@@ -0,0 +1,61 @@
+## SECTION=system_libraries
+
+menuconfig LXC
+ bool
+ prompt "lxc "
+ select GNUTLS if LXC_GNUTLS
+ select LIBSELINUX if LXC_SELINUX
+ select LIBSECCOMP if LXC_SECCOMP
+ select BUSYBOX_FEATURE_SH_MATH if LXC_SYSTEMD_UNIT
+ select SYSTEMD if LXC_SYSTEMD_UNIT
+ select DNSMASQ if LXC_SYSTEMD_UNIT
+ select IPTABLES if LXC_SYSTEMD_UNIT
+ select IPTABLES_IPV4 if LXC_SYSTEMD_UNIT
+ select IPTABLES_IPV6 if LXC_SYSTEMD_UNIT
+ select IPTABLES_IPV6_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT
+ select IPTABLES_IPV4_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT
+ select IPTABLES_INSTALL_TOOLS if LXC_SYSTEMD_UNIT
+ help
+ LXC is a userspace interface for the Linux kernel containment
+ features. Through a powerful API and simple tools, it lets
+ Linux users easily create and manage system or application
+ containers.
+
+if LXC
+
+config LXC_GNUTLS
+ bool
+ prompt "LXC gnutls support"
+ default n
+ help
+ Turn on to enable gnutls support in lxc
+
+config LXC_SELINUX
+ bool
+ prompt "LXC selinux support"
+ default n
+ help
+ Turn on to enable selinux support in lxc
+
+config LXC_SECCOMP
+ bool
+ prompt "LXC seccomp support"
+ default n
+ help
+ Turn on to enable seccomp support in lxc
+
+config LXC_SYSTEMD_UNIT
+ bool
+ prompt "LXC systemd unit"
+ default INITMETHOD_SYSTEMD
+ help
+ Turn on to install systemd unit for lxc
+
+config LXC_TEST_TOOLS
+ bool
+ prompt "LXC test applications"
+ default n
+ help
+ Turn on to enable building the lxc test applications
+
+endif
diff --git a/rules/lxc.make b/rules/lxc.make
new file mode 100644
index 000000000..1eadc6d96
--- /dev/null
+++ b/rules/lxc.make
@@ -0,0 +1,211 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2018 by Michael Grzeschik <mgr@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LXC) += lxc
+
+#
+# Paths and names
+#
+LXC_VERSION := 3.0.1
+LXC_MD5 := 8eb396dde561e5832ba2d505513a1935
+LXC := lxc-$(LXC_VERSION)
+LXC_SUFFIX := tar.gz
+LXC_URL := https://linuxcontainers.org/downloads/lxc/$(LXC).$(LXC_SUFFIX)
+LXC_SOURCE := $(SRCDIR)/$(LXC).$(LXC_SUFFIX)
+LXC_DIR := $(BUILDDIR)/$(LXC)
+LXC_LICENSE := unknown
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#LXC_CONF_ENV := $(CROSS_ENV)
+
+#
+# autoconf
+#
+LXC_CONF_TOOL := autoconf
+LXC_CONF_OPT := \
+ $(CROSS_AUTOCONF_USR) \
+ --enable-silent-rules \
+ --enable-dependency-tracking \
+ --enable-shared \
+ --disable-static \
+ --disable-fast-install \
+ --disable-libtool-lock \
+ --disable-werror \
+ --disable-rpath \
+ --disable-doc \
+ --disable-api-docs \
+ --disable-apparmor \
+ --$(call ptx/endis, PTXCONF_LXC_GNUTLS)-gnutls \
+ --$(call ptx/endis, PTXCONF_LXC_SELINUX)-selinux \
+ --$(call ptx/endis, PTXCONF_LXC_SECCOMP)-seccomp \
+ --enable-capabilities \
+ --enable-examples \
+ --disable-mutex-debugging \
+ --disable-bash \
+ --enable-tools \
+ --enable-commands \
+ --$(call ptx/endis, PTXCONF_LXC_TEST_TOOLS)-tests \
+ --enable-configpath-log \
+ --disable-pam \
+ --with-init-script=systemd \
+ --with-systemdsystemunitdir=/usr/lib/systemd/system/ \
+ --with-distro=unknown \
+ --with-usernic-conf \
+ --with-usernic-db \
+ --with-log-path=/var/log \
+ --with-pamdir=none
+
+LXC_APPLICATIONS := \
+ copy \
+ cgroup \
+ create \
+ snapshot \
+ freeze \
+ config \
+ monitor \
+ unfreeze \
+ device \
+ destroy \
+ ls \
+ console \
+ wait \
+ execute \
+ update-config \
+ stop \
+ checkconfig \
+ checkpoint \
+ usernsexec \
+ attach \
+ start \
+ top \
+ info \
+ autostart \
+ unshare
+
+ifdef PTXCONF_LXC_TEST_TOOLS
+LXC_TEST_TOOLS := \
+ containertests \
+ may-control \
+ console \
+ locktests \
+ no-new-privs \
+ snapshot \
+ concurrent \
+ shutdowntest \
+ cgpath \
+ get_item \
+ criu-check-feature \
+ apparmor \
+ share-ns \
+ saveconfig \
+ clonetest \
+ createtest \
+ createconfig \
+ shortlived \
+ rootfs \
+ getkeys \
+ console-log \
+ attach \
+ reboot \
+ automount \
+ api-reboot \
+ destroytest \
+ startone \
+ raw-clone \
+ parse-config-file \
+ config-jump-table \
+ autostart \
+ state-server \
+ list \
+ device-add-remove \
+ cloneconfig \
+ utils \
+ lxcpath
+endif
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/lxc.targetinstall:
+ @$(call targetinfo)
+
+ @$(call install_init, lxc)
+ @$(call install_fixup, lxc, PRIORITY, optional)
+ @$(call install_fixup, lxc, SECTION, base)
+ @$(call install_fixup, lxc, AUTHOR, "Michael Grzeschik <mgr@pengutronix.de>")
+ @$(call install_fixup, lxc, DESCRIPTION, missing)
+
+ @$(call install_lib, lxc, 0, 0, 0644, liblxc);
+
+ @$(call install_copy, lxc, 0, 0, 0644, /var/lib/lxc);
+ @$(call install_copy, lxc, 0, 0, 0644, /usr/lib/lxc/rootfs);
+
+ @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/config);
+
+ifdef PTXCONF_LXC_SELINUX
+ @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/selinux);
+endif
+
+ @$(call install_alternative, lxc, 0, 0, 0644, /etc/lxc/default.conf);
+ @$(call install_alternative, lxc, 0, 0, 0644, /etc/default/lxc-net);
+
+ @$(call install_copy, lxc, 0, 0, 0644, -, /etc/default/lxc)
+
+ @$(foreach app, $(LXC_APPLICATIONS), \
+ $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-$(app), \
+ /usr/bin/lxc-$(app))$(ptx/nl))
+
+ @$(foreach app, \
+ containers \
+ net \
+ apparmor-load \
+ user-nic \
+ monitord, \
+ $(call install_copy, lxc, 0, 0, 0755, -, \
+ /usr/libexec/lxc/lxc-$(app))$(ptx/nl))
+
+# This is needed by /usr/libexec/lxc/lxc-net
+ @$(call install_copy, lxc, 0, 0, 0755, \
+ $(PTXDIST_SYSROOT_TOOLCHAIN)/usr/bin/getent, /usr/bin/getent)
+
+ifdef PTXCONF_LXC_TEST_TOOLS
+ @$(foreach app, $(LXC_TEST_TOOLS), \
+ $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-test-$(app), \
+ /usr/bin/lxc-tests/$(app))$(ptx/nl))
+endif
+
+ifdef PTXCONF_LXC_SYSTEMD_UNIT
+ @$(foreach rule, \
+ lxc.service \
+ lxc@.service \
+ lxc-net.service, \
+ $(call install_copy, lxc, 0, 0, 0644, -, \
+ /usr/lib/systemd/system/$(rule))$(ptx/nl))
+
+ @$(foreach rule, \
+ lxc.service \
+ lxc@.service \
+ lxc-net.service, \
+ $(call install_link, lxc, ../$(rule), \
+ /usr/lib/systemd/system/multi-user.target.wants/$(rule))$(ptx/nl))
+endif
+
+ @$(call install_finish, lxc)
+
+ @$(call touch)
+
+# vim: syntax=make
--
2.18.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [ptxdist] [PATCH v3] lxc: add new package 2018-08-30 7:35 [ptxdist] [PATCH v3] lxc: add new package Michael Grzeschik @ 2018-08-30 14:10 ` Michael Olbrich 2018-08-31 9:38 ` Michael Grzeschik 0 siblings, 1 reply; 3+ messages in thread From: Michael Olbrich @ 2018-08-30 14:10 UTC (permalink / raw) To: ptxdist On Thu, Aug 30, 2018 at 09:35:50AM +0200, Michael Grzeschik wrote: > This patch adds support for the lxc container system. We install the > userspace lib and application. > > To make sure all necessary kernel options are enabled use: > $ CONFIG=/path/to/kernelconfig lxc-checkconfig > > Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> > --- > v1 -> v2: - prefixed used variables with PTXCONF_ : > LXC_TEMPLATES, LXC_HOOKS, LXC_SELINUX > - fixed used variable LXC_SYSTEMD_UNIT > - added missing dir /usr/lib/lxc/rootfs > - added dependency to busybox tools when using templates > - added dependency to iptables when starting systemd.service > - removed some extra commented unused options > - removed hooks > - only installing busybox template > - added dependency to busybox_umount > > v2 -> v3: - removed the busybox template and its dependencies > - added patch for dnsmasq to start without dns support > - added install stage to include getent from toolchain > > ...te-new-lxcbr0-subnet-at-startup-time.patch | 134 +++++++++++ > ...-net-start-dnsmasq-without-dnsserver.patch | 24 ++ > patches/lxc-3.0.1/series | 2 + > projectroot/etc/default/lxc-net | 7 + > projectroot/etc/lxc/default.conf | 4 + > rules/lxc.in | 61 +++++ > rules/lxc.make | 211 ++++++++++++++++++ > 7 files changed, 443 insertions(+) > create mode 100644 patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > create mode 100644 patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > create mode 100644 patches/lxc-3.0.1/series > create mode 100644 projectroot/etc/default/lxc-net > create mode 100644 projectroot/etc/lxc/default.conf > create mode 100644 rules/lxc.in > create mode 100644 rules/lxc.make > > diff --git a/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > new file mode 100644 > index 000000000..a1fddbea4 > --- /dev/null > +++ b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > @@ -0,0 +1,134 @@ > +From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com> > +Date: Tue, 3 Nov 2015 11:42:58 -0500 > +Subject: [PATCH] Allocate new lxcbr0 subnet at startup time > + > +--- > + config/init/common/lxc-net.in | 100 ++++++++++++++++++++++++++++++++++++++---- > + 1 file changed, 91 insertions(+), 9 deletions(-) > + > +diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in > +index df9f1181d761..6837be1969c2 100644 > +--- a/config/init/common/lxc-net.in > ++++ b/config/init/common/lxc-net.in > +@@ -24,6 +24,85 @@ LXC_IPV6_MASK="" > + LXC_IPV6_NETWORK="" > + LXC_IPV6_NAT="false" > + > ++write_lxc_net() > ++{ > ++ local i=$1 > ++ cat >> $distrosysconfdir/lxc-net << EOF > ++# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your > ++# containers. Set to "false" if you'll use virbr0 or another existing > ++# bridge, or mavlan to your host's NIC. > ++USE_LXC_BRIDGE="true" > ++ > ++# If you change the LXC_BRIDGE to something other than lxcbr0, then > ++# you will also need to update your /etc/lxc/default.conf as well as the > ++# configuration (/var/lib/lxc/<container>/config) for any containers > ++# already created using the default config to reflect the new bridge > ++# name. > ++# If you have the dnsmasq daemon installed, you'll also have to update > ++# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. > ++LXC_BRIDGE="lxcbr0" > ++LXC_ADDR="10.0.$i.1" > ++LXC_NETMASK="255.255.255.0" > ++LXC_NETWORK="10.0.$i.0/24" > ++LXC_DHCP_RANGE="10.0.$i.2,10.0.$i.254" > ++LXC_DHCP_MAX="253" > ++# Uncomment the next line if you'd like to use a conf-file for the lxcbr0 > ++# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have > ++# container 'mail1' always get ip address 10.0.3.100. > ++#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf > ++ > ++# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc > ++# domain. You can then add "server=/lxc/10.0.$i.1' (or your actual \$LXC_ADDR) > ++# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf, > ++# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager). > ++# Once these changes are made, restart the lxc-net and network-manager services. > ++# 'container1.lxc' will then resolve on your host. > ++#LXC_DOMAIN="lxc" > ++EOF > ++} > ++ > ++configure_lxcbr0() > ++{ > ++ local i=3 > ++ cat > $distrosysconfdir/lxc-net << EOF > ++# This file is auto-generated by lxc.postinst if it does not > ++# exist. Customizations will not be overridden. > ++EOF > ++ # if lxcbr0 exists, keep using the same network > ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then > ++ i=`ip addr show lxcbr0 | grep "inet\>" | awk '{ print $2 }' | awk -F. '{ print $3 }'` > ++ write_lxc_net $i > ++ return > ++ fi > ++ # if no lxcbr0, find an open 10.0.a.0 network > ++ for l in `ip addr show | grep "inet\>" |awk '{ print $2 }' | grep '^10\.0\.' | sort -n`; do > ++ j=`echo $l | awk -F. '{ print $3 }'` > ++ if [ $j -gt $i ]; then > ++ write_lxc_net $i > ++ return > ++ fi > ++ i=$((j+1)) > ++ done > ++ if [ $i -ne 254 ]; then > ++ write_lxc_net $i > ++ fi > ++} > ++ > ++update_lxcnet_config() > ++{ > ++ local i=3 > ++ # if lxcbr0 exists, keep using the same network > ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then > ++ return > ++ fi > ++ # our LXC_NET conflicts with an existing interface. Probably first > ++ # run after system install with package pre-install. Find a new subnet > ++ configure_lxcbr0 > ++ > ++ # and re-load the newly created config > ++ [ ! -f $distrosysconfdir/lxc-net ] || . $distrosysconfdir/lxc-net > ++} > ++ > + [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc > + > + use_iptables_lock="-w" > +@@ -51,7 +130,19 @@ _ifup() { > + ip link set dev ${LXC_BRIDGE} up > + } > + > ++cleanup() { > ++ set +e > ++ if [ "$FAILED" = "1" ]; then > ++ echo "Failed to setup lxc-net." >&2 > ++ stop force > ++ exit 1 > ++ fi > ++} > ++ > + start() { > ++ > ++ [ ! -f $distrosysconfdir/lxc-net ] && update_lxcnet_config This patch looks wrong. It only does something new if the config does not exist, right? That should never happen for embedded. Why is this patch needed? > ++ > + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; } > + > + [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; } > +@@ -62,15 +153,6 @@ start() { > + > + FAILED=1 > + > +- cleanup() { > +- set +e > +- if [ "$FAILED" = "1" ]; then > +- echo "Failed to setup lxc-net." >&2 > +- stop force > +- exit 1 > +- fi > +- } > +- > + trap cleanup EXIT HUP INT TERM > + set -e > + > diff --git a/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > new file mode 100644 > index 000000000..a8cbf3fe2 > --- /dev/null > +++ b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > @@ -0,0 +1,24 @@ > +From: Michael Grzeschik <m.grzeschik@pengutronix.de> > +Date: Wed, 29 Aug 2018 16:50:50 +0200 > +Subject: [PATCH] lxc-net: start dnsmasq without dnsserver > + > +So it does not conflict with the systems dnsmasq systemd-service. > + > +Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> > +--- > + config/init/common/lxc-net.in | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in > +index 6837be1969c2..84128d59486b 100644 > +--- a/config/init/common/lxc-net.in > ++++ b/config/init/common/lxc-net.in > +@@ -221,7 +221,7 @@ start() { > + --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \ > + --except-interface=lo --interface=${LXC_BRIDGE} \ > + --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \ > +- --dhcp-authoritative $LXC_IPV6_ARG || cleanup > ++ --dhcp-authoritative $LXC_IPV6_ARG --port=0 || cleanup I think this this should be --bind-interfaces instead. Otherwise the services in the container will have no DNS right? > + > + touch "${varrun}"/network_up > + FAILED=0 > diff --git a/patches/lxc-3.0.1/series b/patches/lxc-3.0.1/series > new file mode 100644 > index 000000000..eec508771 > --- /dev/null > +++ b/patches/lxc-3.0.1/series > @@ -0,0 +1,2 @@ > +0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > +0002-lxc-net-start-dnsmasq-without-dnsserver.patch > diff --git a/projectroot/etc/default/lxc-net b/projectroot/etc/default/lxc-net > new file mode 100644 > index 000000000..054a09a0a > --- /dev/null > +++ b/projectroot/etc/default/lxc-net > @@ -0,0 +1,7 @@ > +USE_LXC_BRIDGE="true" > +LXC_BRIDGE="lxcbr0" > +LXC_ADDR="192.168.1.1" > +LXC_NETMASK="255.255.255.0" > +LXC_NETWORK="192.168.1.0/24" > +LXC_DHCP_RANGE="192.168.1.2,192.168.1.254" > +LXC_DHCP_MAX="253" > diff --git a/projectroot/etc/lxc/default.conf b/projectroot/etc/lxc/default.conf > new file mode 100644 > index 000000000..e7af1e6ae > --- /dev/null > +++ b/projectroot/etc/lxc/default.conf > @@ -0,0 +1,4 @@ > +lxc.net.0.type = veth > +lxc.net.0.link = lxcbr0 > +lxc.net.0.flags = up > +lxc.net.0.hwaddr = 00:16:3e:11:22:34 > diff --git a/rules/lxc.in b/rules/lxc.in > new file mode 100644 > index 000000000..fde637b0d > --- /dev/null > +++ b/rules/lxc.in > @@ -0,0 +1,61 @@ > +## SECTION=system_libraries > + > +menuconfig LXC > + bool > + prompt "lxc " > + select GNUTLS if LXC_GNUTLS > + select LIBSELINUX if LXC_SELINUX > + select LIBSECCOMP if LXC_SECCOMP > + select BUSYBOX_FEATURE_SH_MATH if LXC_SYSTEMD_UNIT > + select SYSTEMD if LXC_SYSTEMD_UNIT > + select DNSMASQ if LXC_SYSTEMD_UNIT > + select IPTABLES if LXC_SYSTEMD_UNIT > + select IPTABLES_IPV4 if LXC_SYSTEMD_UNIT > + select IPTABLES_IPV6 if LXC_SYSTEMD_UNIT > + select IPTABLES_IPV6_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT > + select IPTABLES_IPV4_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT Why are the units needed? > + select IPTABLES_INSTALL_TOOLS if LXC_SYSTEMD_UNIT > + help > + LXC is a userspace interface for the Linux kernel containment > + features. Through a powerful API and simple tools, it lets > + Linux users easily create and manage system or application > + containers. > + > +if LXC > + > +config LXC_GNUTLS > + bool > + prompt "LXC gnutls support" > + default n This is already the default. Remove it (everywhere). > + help > + Turn on to enable gnutls support in lxc What is gnutls used for? > + > +config LXC_SELINUX > + bool > + prompt "LXC selinux support" > + default n > + help > + Turn on to enable selinux support in lxc Use GLOBAL_SELINUX instead. > + > +config LXC_SECCOMP > + bool > + prompt "LXC seccomp support" > + default n > + help > + Turn on to enable seccomp support in lxc LXC is a security feature. I think seccomp should always be enabled. > + > +config LXC_SYSTEMD_UNIT > + bool > + prompt "LXC systemd unit" > + default INITMETHOD_SYSTEMD > + help > + Turn on to install systemd unit for lxc > + > +config LXC_TEST_TOOLS > + bool > + prompt "LXC test applications" > + default n > + help > + Turn on to enable building the lxc test applications > + > +endif > diff --git a/rules/lxc.make b/rules/lxc.make > new file mode 100644 > index 000000000..1eadc6d96 > --- /dev/null > +++ b/rules/lxc.make > @@ -0,0 +1,211 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2018 by Michael Grzeschik <mgr@pengutronix.de> > +# > +# See CREDITS for details about who has contributed to this project. > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_LXC) += lxc > + > +# > +# Paths and names > +# > +LXC_VERSION := 3.0.1 > +LXC_MD5 := 8eb396dde561e5832ba2d505513a1935 > +LXC := lxc-$(LXC_VERSION) > +LXC_SUFFIX := tar.gz > +LXC_URL := https://linuxcontainers.org/downloads/lxc/$(LXC).$(LXC_SUFFIX) > +LXC_SOURCE := $(SRCDIR)/$(LXC).$(LXC_SUFFIX) > +LXC_DIR := $(BUILDDIR)/$(LXC) > +LXC_LICENSE := unknown > + > +# ---------------------------------------------------------------------------- > +# Prepare > +# ---------------------------------------------------------------------------- > + > +#LXC_CONF_ENV := $(CROSS_ENV) > + > +# > +# autoconf > +# > +LXC_CONF_TOOL := autoconf > +LXC_CONF_OPT := \ > + $(CROSS_AUTOCONF_USR) \ > + --enable-silent-rules \ > + --enable-dependency-tracking \ > + --enable-shared \ > + --disable-static \ > + --disable-fast-install \ > + --disable-libtool-lock \ > + --disable-werror \ > + --disable-rpath \ > + --disable-doc \ > + --disable-api-docs \ > + --disable-apparmor \ > + --$(call ptx/endis, PTXCONF_LXC_GNUTLS)-gnutls \ > + --$(call ptx/endis, PTXCONF_LXC_SELINUX)-selinux \ > + --$(call ptx/endis, PTXCONF_LXC_SECCOMP)-seccomp \ > + --enable-capabilities \ > + --enable-examples \ why? > + --disable-mutex-debugging \ > + --disable-bash \ > + --enable-tools \ > + --enable-commands \ > + --$(call ptx/endis, PTXCONF_LXC_TEST_TOOLS)-tests \ > + --enable-configpath-log \ > + --disable-pam \ > + --with-init-script=systemd \ > + --with-systemdsystemunitdir=/usr/lib/systemd/system/ \ > + --with-distro=unknown \ > + --with-usernic-conf \ > + --with-usernic-db \ > + --with-log-path=/var/log \ > + --with-pamdir=none > + > +LXC_APPLICATIONS := \ > + copy \ > + cgroup \ > + create \ > + snapshot \ > + freeze \ > + config \ > + monitor \ > + unfreeze \ > + device \ > + destroy \ > + ls \ > + console \ > + wait \ > + execute \ > + update-config \ > + stop \ > + checkconfig \ > + checkpoint \ > + usernsexec \ > + attach \ > + start \ > + top \ > + info \ > + autostart \ > + unshare > + > +ifdef PTXCONF_LXC_TEST_TOOLS > +LXC_TEST_TOOLS := \ > + containertests \ > + may-control \ > + console \ > + locktests \ > + no-new-privs \ > + snapshot \ > + concurrent \ > + shutdowntest \ > + cgpath \ > + get_item \ > + criu-check-feature \ > + apparmor \ > + share-ns \ > + saveconfig \ > + clonetest \ > + createtest \ > + createconfig \ > + shortlived \ > + rootfs \ > + getkeys \ > + console-log \ > + attach \ > + reboot \ > + automount \ > + api-reboot \ > + destroytest \ > + startone \ > + raw-clone \ > + parse-config-file \ > + config-jump-table \ > + autostart \ > + state-server \ > + list \ > + device-add-remove \ > + cloneconfig \ > + utils \ > + lxcpath > +endif > + > +# ---------------------------------------------------------------------------- > +# Target-Install > +# ---------------------------------------------------------------------------- > + > +$(STATEDIR)/lxc.targetinstall: > + @$(call targetinfo) > + > + @$(call install_init, lxc) > + @$(call install_fixup, lxc, PRIORITY, optional) > + @$(call install_fixup, lxc, SECTION, base) > + @$(call install_fixup, lxc, AUTHOR, "Michael Grzeschik <mgr@pengutronix.de>") > + @$(call install_fixup, lxc, DESCRIPTION, missing) > + > + @$(call install_lib, lxc, 0, 0, 0644, liblxc); > + > + @$(call install_copy, lxc, 0, 0, 0644, /var/lib/lxc); > + @$(call install_copy, lxc, 0, 0, 0644, /usr/lib/lxc/rootfs); > + > + @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/config); > + > +ifdef PTXCONF_LXC_SELINUX > + @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/selinux); > +endif > + > + @$(call install_alternative, lxc, 0, 0, 0644, /etc/lxc/default.conf); > + @$(call install_alternative, lxc, 0, 0, 0644, /etc/default/lxc-net); > + > + @$(call install_copy, lxc, 0, 0, 0644, -, /etc/default/lxc) > + > + @$(foreach app, $(LXC_APPLICATIONS), \ > + $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-$(app), \ > + /usr/bin/lxc-$(app))$(ptx/nl)) > + > + @$(foreach app, \ > + containers \ > + net \ > + apparmor-load \ > + user-nic \ > + monitord, \ define a variable above. > + $(call install_copy, lxc, 0, 0, 0755, -, \ > + /usr/libexec/lxc/lxc-$(app))$(ptx/nl)) > + > +# This is needed by /usr/libexec/lxc/lxc-net > + @$(call install_copy, lxc, 0, 0, 0755, \ > + $(PTXDIST_SYSROOT_TOOLCHAIN)/usr/bin/getent, /usr/bin/getent) No. Create a option for glibc and select it. > + > +ifdef PTXCONF_LXC_TEST_TOOLS > + @$(foreach app, $(LXC_TEST_TOOLS), \ > + $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-test-$(app), \ > + /usr/bin/lxc-tests/$(app))$(ptx/nl)) > +endif > + > +ifdef PTXCONF_LXC_SYSTEMD_UNIT > + @$(foreach rule, \ > + lxc.service \ > + lxc@.service \ > + lxc-net.service, \ > + $(call install_copy, lxc, 0, 0, 0644, -, \ > + /usr/lib/systemd/system/$(rule))$(ptx/nl)) > + > + @$(foreach rule, \ > + lxc.service \ > + lxc@.service \ > + lxc-net.service, \ > + $(call install_link, lxc, ../$(rule), \ > + /usr/lib/systemd/system/multi-user.target.wants/$(rule))$(ptx/nl)) don't loop for 3 files. Michael > +endif > + > + @$(call install_finish, lxc) > + > + @$(call touch) > + > +# vim: syntax=make > -- > 2.18.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH v3] lxc: add new package 2018-08-30 14:10 ` Michael Olbrich @ 2018-08-31 9:38 ` Michael Grzeschik 0 siblings, 0 replies; 3+ messages in thread From: Michael Grzeschik @ 2018-08-31 9:38 UTC (permalink / raw) To: ptxdist [-- Attachment #1.1: Type: text/plain, Size: 20340 bytes --] On Thu, Aug 30, 2018 at 04:10:35PM +0200, Michael Olbrich wrote: > On Thu, Aug 30, 2018 at 09:35:50AM +0200, Michael Grzeschik wrote: > > This patch adds support for the lxc container system. We install the > > userspace lib and application. > > > > To make sure all necessary kernel options are enabled use: > > $ CONFIG=/path/to/kernelconfig lxc-checkconfig > > > > Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> > > --- > > v1 -> v2: - prefixed used variables with PTXCONF_ : > > LXC_TEMPLATES, LXC_HOOKS, LXC_SELINUX > > - fixed used variable LXC_SYSTEMD_UNIT > > - added missing dir /usr/lib/lxc/rootfs > > - added dependency to busybox tools when using templates > > - added dependency to iptables when starting systemd.service > > - removed some extra commented unused options > > - removed hooks > > - only installing busybox template > > - added dependency to busybox_umount > > > > v2 -> v3: - removed the busybox template and its dependencies > > - added patch for dnsmasq to start without dns support > > - added install stage to include getent from toolchain > > > > ...te-new-lxcbr0-subnet-at-startup-time.patch | 134 +++++++++++ > > ...-net-start-dnsmasq-without-dnsserver.patch | 24 ++ > > patches/lxc-3.0.1/series | 2 + > > projectroot/etc/default/lxc-net | 7 + > > projectroot/etc/lxc/default.conf | 4 + > > rules/lxc.in | 61 +++++ > > rules/lxc.make | 211 ++++++++++++++++++ > > 7 files changed, 443 insertions(+) > > create mode 100644 patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > > create mode 100644 patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > > create mode 100644 patches/lxc-3.0.1/series > > create mode 100644 projectroot/etc/default/lxc-net > > create mode 100644 projectroot/etc/lxc/default.conf > > create mode 100644 rules/lxc.in > > create mode 100644 rules/lxc.make > > > > diff --git a/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > > new file mode 100644 > > index 000000000..a1fddbea4 > > --- /dev/null > > +++ b/patches/lxc-3.0.1/0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > > @@ -0,0 +1,134 @@ > > +From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com> > > +Date: Tue, 3 Nov 2015 11:42:58 -0500 > > +Subject: [PATCH] Allocate new lxcbr0 subnet at startup time > > + > > +--- > > + config/init/common/lxc-net.in | 100 ++++++++++++++++++++++++++++++++++++++---- > > + 1 file changed, 91 insertions(+), 9 deletions(-) > > + > > +diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in > > +index df9f1181d761..6837be1969c2 100644 > > +--- a/config/init/common/lxc-net.in > > ++++ b/config/init/common/lxc-net.in > > +@@ -24,6 +24,85 @@ LXC_IPV6_MASK="" > > + LXC_IPV6_NETWORK="" > > + LXC_IPV6_NAT="false" > > + > > ++write_lxc_net() > > ++{ > > ++ local i=$1 > > ++ cat >> $distrosysconfdir/lxc-net << EOF > > ++# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your > > ++# containers. Set to "false" if you'll use virbr0 or another existing > > ++# bridge, or mavlan to your host's NIC. > > ++USE_LXC_BRIDGE="true" > > ++ > > ++# If you change the LXC_BRIDGE to something other than lxcbr0, then > > ++# you will also need to update your /etc/lxc/default.conf as well as the > > ++# configuration (/var/lib/lxc/<container>/config) for any containers > > ++# already created using the default config to reflect the new bridge > > ++# name. > > ++# If you have the dnsmasq daemon installed, you'll also have to update > > ++# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. > > ++LXC_BRIDGE="lxcbr0" > > ++LXC_ADDR="10.0.$i.1" > > ++LXC_NETMASK="255.255.255.0" > > ++LXC_NETWORK="10.0.$i.0/24" > > ++LXC_DHCP_RANGE="10.0.$i.2,10.0.$i.254" > > ++LXC_DHCP_MAX="253" > > ++# Uncomment the next line if you'd like to use a conf-file for the lxcbr0 > > ++# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have > > ++# container 'mail1' always get ip address 10.0.3.100. > > ++#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf > > ++ > > ++# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc > > ++# domain. You can then add "server=/lxc/10.0.$i.1' (or your actual \$LXC_ADDR) > > ++# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf, > > ++# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager). > > ++# Once these changes are made, restart the lxc-net and network-manager services. > > ++# 'container1.lxc' will then resolve on your host. > > ++#LXC_DOMAIN="lxc" > > ++EOF > > ++} > > ++ > > ++configure_lxcbr0() > > ++{ > > ++ local i=3 > > ++ cat > $distrosysconfdir/lxc-net << EOF > > ++# This file is auto-generated by lxc.postinst if it does not > > ++# exist. Customizations will not be overridden. > > ++EOF > > ++ # if lxcbr0 exists, keep using the same network > > ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then > > ++ i=`ip addr show lxcbr0 | grep "inet\>" | awk '{ print $2 }' | awk -F. '{ print $3 }'` > > ++ write_lxc_net $i > > ++ return > > ++ fi > > ++ # if no lxcbr0, find an open 10.0.a.0 network > > ++ for l in `ip addr show | grep "inet\>" |awk '{ print $2 }' | grep '^10\.0\.' | sort -n`; do > > ++ j=`echo $l | awk -F. '{ print $3 }'` > > ++ if [ $j -gt $i ]; then > > ++ write_lxc_net $i > > ++ return > > ++ fi > > ++ i=$((j+1)) > > ++ done > > ++ if [ $i -ne 254 ]; then > > ++ write_lxc_net $i > > ++ fi > > ++} > > ++ > > ++update_lxcnet_config() > > ++{ > > ++ local i=3 > > ++ # if lxcbr0 exists, keep using the same network > > ++ if ip addr show lxcbr0 > /dev/null 2>&1 ; then > > ++ return > > ++ fi > > ++ # our LXC_NET conflicts with an existing interface. Probably first > > ++ # run after system install with package pre-install. Find a new subnet > > ++ configure_lxcbr0 > > ++ > > ++ # and re-load the newly created config > > ++ [ ! -f $distrosysconfdir/lxc-net ] || . $distrosysconfdir/lxc-net > > ++} > > ++ > > + [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc > > + > > + use_iptables_lock="-w" > > +@@ -51,7 +130,19 @@ _ifup() { > > + ip link set dev ${LXC_BRIDGE} up > > + } > > + > > ++cleanup() { > > ++ set +e > > ++ if [ "$FAILED" = "1" ]; then > > ++ echo "Failed to setup lxc-net." >&2 > > ++ stop force > > ++ exit 1 > > ++ fi > > ++} > > ++ > > + start() { > > ++ > > ++ [ ! -f $distrosysconfdir/lxc-net ] && update_lxcnet_config > > This patch looks wrong. It only does something new if the config does not > exist, right? That should never happen for embedded. > > Why is this patch needed? Right, the patch is not needed for embedded. > > ++ > > + [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; } > > + > > + [ ! -f "${varrun}/network_up" ] || { echo "lxc-net is already running"; exit 1; } > > +@@ -62,15 +153,6 @@ start() { > > + > > + FAILED=1 > > + > > +- cleanup() { > > +- set +e > > +- if [ "$FAILED" = "1" ]; then > > +- echo "Failed to setup lxc-net." >&2 > > +- stop force > > +- exit 1 > > +- fi > > +- } > > +- > > + trap cleanup EXIT HUP INT TERM > > + set -e > > + > > diff --git a/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > > new file mode 100644 > > index 000000000..a8cbf3fe2 > > --- /dev/null > > +++ b/patches/lxc-3.0.1/0002-lxc-net-start-dnsmasq-without-dnsserver.patch > > @@ -0,0 +1,24 @@ > > +From: Michael Grzeschik <m.grzeschik@pengutronix.de> > > +Date: Wed, 29 Aug 2018 16:50:50 +0200 > > +Subject: [PATCH] lxc-net: start dnsmasq without dnsserver > > + > > +So it does not conflict with the systems dnsmasq systemd-service. > > + > > +Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> > > +--- > > + config/init/common/lxc-net.in | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in > > +index 6837be1969c2..84128d59486b 100644 > > +--- a/config/init/common/lxc-net.in > > ++++ b/config/init/common/lxc-net.in > > +@@ -221,7 +221,7 @@ start() { > > + --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \ > > + --except-interface=lo --interface=${LXC_BRIDGE} \ > > + --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \ > > +- --dhcp-authoritative $LXC_IPV6_ARG || cleanup > > ++ --dhcp-authoritative $LXC_IPV6_ARG --bind-interfaces || cleanup > > I think this this should be --bind-interfaces instead. Otherwise the > services in the container will have no DNS right? Good Idea! But this will only work if we also add it to projectroot/usr/lib/systemd/system/dnasmasq.in I can add a patch. > > + > > + touch "${varrun}"/network_up > > + FAILED=0 > > diff --git a/patches/lxc-3.0.1/series b/patches/lxc-3.0.1/series > > new file mode 100644 > > index 000000000..eec508771 > > --- /dev/null > > +++ b/patches/lxc-3.0.1/series > > @@ -0,0 +1,2 @@ > > +0001-Allocate-new-lxcbr0-subnet-at-startup-time.patch > > +0002-lxc-net-start-dnsmasq-without-dnsserver.patch > > diff --git a/projectroot/etc/default/lxc-net b/projectroot/etc/default/lxc-net > > new file mode 100644 > > index 000000000..054a09a0a > > --- /dev/null > > +++ b/projectroot/etc/default/lxc-net > > @@ -0,0 +1,7 @@ > > +USE_LXC_BRIDGE="true" > > +LXC_BRIDGE="lxcbr0" > > +LXC_ADDR="192.168.1.1" > > +LXC_NETMASK="255.255.255.0" > > +LXC_NETWORK="192.168.1.0/24" > > +LXC_DHCP_RANGE="192.168.1.2,192.168.1.254" > > +LXC_DHCP_MAX="253" > > diff --git a/projectroot/etc/lxc/default.conf b/projectroot/etc/lxc/default.conf > > new file mode 100644 > > index 000000000..e7af1e6ae > > --- /dev/null > > +++ b/projectroot/etc/lxc/default.conf > > @@ -0,0 +1,4 @@ > > +lxc.net.0.type = veth > > +lxc.net.0.link = lxcbr0 > > +lxc.net.0.flags = up > > +lxc.net.0.hwaddr = 00:16:3e:11:22:34 > > diff --git a/rules/lxc.in b/rules/lxc.in > > new file mode 100644 > > index 000000000..fde637b0d > > --- /dev/null > > +++ b/rules/lxc.in > > @@ -0,0 +1,61 @@ > > +## SECTION=system_libraries > > + > > +menuconfig LXC > > + bool > > + prompt "lxc " > > + select GNUTLS if LXC_GNUTLS > > + select LIBSELINUX if LXC_SELINUX > > + select LIBSECCOMP if LXC_SECCOMP > > + select BUSYBOX_FEATURE_SH_MATH if LXC_SYSTEMD_UNIT > > + select SYSTEMD if LXC_SYSTEMD_UNIT > > + select DNSMASQ if LXC_SYSTEMD_UNIT > > + select IPTABLES if LXC_SYSTEMD_UNIT > > + select IPTABLES_IPV4 if LXC_SYSTEMD_UNIT > > + select IPTABLES_IPV6 if LXC_SYSTEMD_UNIT > > + select IPTABLES_IPV6_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT > > + select IPTABLES_IPV4_SYSTEMD_UNIT if LXC_SYSTEMD_UNIT > > Why are the units needed? Right, they are not. > > + select IPTABLES_INSTALL_TOOLS if LXC_SYSTEMD_UNIT > > + help > > + LXC is a userspace interface for the Linux kernel containment > > + features. Through a powerful API and simple tools, it lets > > + Linux users easily create and manage system or application > > + containers. > > + > > +if LXC > > + > > +config LXC_GNUTLS > > + bool > > + prompt "LXC gnutls support" > > > + default n > > This is already the default. Remove it (everywhere). ok > > + help > > + Turn on to enable gnutls support in lxc > > What is gnutls used for? It is only used for checksum validation of the templates. As the templates are already removed I will drop that option aswell. > > + > > +config LXC_SELINUX > > + bool > > + prompt "LXC selinux support" > > + default n > > + help > > + Turn on to enable selinux support in lxc > > Use GLOBAL_SELINUX instead. ok > > + > > +config LXC_SECCOMP > > + bool > > + prompt "LXC seccomp support" > > + default n > > + help > > + Turn on to enable seccomp support in lxc > > LXC is a security feature. I think seccomp should always be enabled. ok > > + > > +config LXC_SYSTEMD_UNIT > > + bool > > + prompt "LXC systemd unit" > > + default INITMETHOD_SYSTEMD > > + help > > + Turn on to install systemd unit for lxc > > + > > +config LXC_TEST_TOOLS > > + bool > > + prompt "LXC test applications" > > + default n > > + help > > + Turn on to enable building the lxc test applications > > + > > +endif > > diff --git a/rules/lxc.make b/rules/lxc.make > > new file mode 100644 > > index 000000000..1eadc6d96 > > --- /dev/null > > +++ b/rules/lxc.make > > @@ -0,0 +1,211 @@ > > +# -*-makefile-*- > > +# > > +# Copyright (C) 2018 by Michael Grzeschik <mgr@pengutronix.de> > > +# > > +# See CREDITS for details about who has contributed to this project. > > +# > > +# For further information about the PTXdist project and license conditions > > +# see the README file. > > +# > > + > > +# > > +# We provide this package > > +# > > +PACKAGES-$(PTXCONF_LXC) += lxc > > + > > +# > > +# Paths and names > > +# > > +LXC_VERSION := 3.0.1 > > +LXC_MD5 := 8eb396dde561e5832ba2d505513a1935 > > +LXC := lxc-$(LXC_VERSION) > > +LXC_SUFFIX := tar.gz > > +LXC_URL := https://linuxcontainers.org/downloads/lxc/$(LXC).$(LXC_SUFFIX) > > +LXC_SOURCE := $(SRCDIR)/$(LXC).$(LXC_SUFFIX) > > +LXC_DIR := $(BUILDDIR)/$(LXC) > > +LXC_LICENSE := unknown > > + > > +# ---------------------------------------------------------------------------- > > +# Prepare > > +# ---------------------------------------------------------------------------- > > + > > +#LXC_CONF_ENV := $(CROSS_ENV) > > + > > +# > > +# autoconf > > +# > > +LXC_CONF_TOOL := autoconf > > +LXC_CONF_OPT := \ > > + $(CROSS_AUTOCONF_USR) \ > > + --enable-silent-rules \ > > + --enable-dependency-tracking \ > > + --enable-shared \ > > + --disable-static \ > > + --disable-fast-install \ > > + --disable-libtool-lock \ > > + --disable-werror \ > > + --disable-rpath \ > > + --disable-doc \ > > + --disable-api-docs \ > > + --disable-apparmor \ > > + --$(call ptx/endis, PTXCONF_LXC_GNUTLS)-gnutls \ > > + --$(call ptx/endis, PTXCONF_LXC_SELINUX)-selinux \ > > + --$(call ptx/endis, PTXCONF_LXC_SECCOMP)-seccomp \ > > + --enable-capabilities \ > > + --enable-examples \ > > why? will remove them > > + --disable-mutex-debugging \ > > + --disable-bash \ > > + --enable-tools \ > > + --enable-commands \ > > + --$(call ptx/endis, PTXCONF_LXC_TEST_TOOLS)-tests \ > > + --enable-configpath-log \ > > + --disable-pam \ > > + --with-init-script=systemd \ > > + --with-systemdsystemunitdir=/usr/lib/systemd/system/ \ > > + --with-distro=unknown \ > > + --with-usernic-conf \ > > + --with-usernic-db \ > > + --with-log-path=/var/log \ > > + --with-pamdir=none > > + > > +LXC_APPLICATIONS := \ > > + copy \ > > + cgroup \ > > + create \ > > + snapshot \ > > + freeze \ > > + config \ > > + monitor \ > > + unfreeze \ > > + device \ > > + destroy \ > > + ls \ > > + console \ > > + wait \ > > + execute \ > > + update-config \ > > + stop \ > > + checkconfig \ > > + checkpoint \ > > + usernsexec \ > > + attach \ > > + start \ > > + top \ > > + info \ > > + autostart \ > > + unshare > > + > > +ifdef PTXCONF_LXC_TEST_TOOLS > > +LXC_TEST_TOOLS := \ > > + containertests \ > > + may-control \ > > + console \ > > + locktests \ > > + no-new-privs \ > > + snapshot \ > > + concurrent \ > > + shutdowntest \ > > + cgpath \ > > + get_item \ > > + criu-check-feature \ > > + apparmor \ > > + share-ns \ > > + saveconfig \ > > + clonetest \ > > + createtest \ > > + createconfig \ > > + shortlived \ > > + rootfs \ > > + getkeys \ > > + console-log \ > > + attach \ > > + reboot \ > > + automount \ > > + api-reboot \ > > + destroytest \ > > + startone \ > > + raw-clone \ > > + parse-config-file \ > > + config-jump-table \ > > + autostart \ > > + state-server \ > > + list \ > > + device-add-remove \ > > + cloneconfig \ > > + utils \ > > + lxcpath > > +endif > > + > > +# ---------------------------------------------------------------------------- > > +# Target-Install > > +# ---------------------------------------------------------------------------- > > + > > +$(STATEDIR)/lxc.targetinstall: > > + @$(call targetinfo) > > + > > + @$(call install_init, lxc) > > + @$(call install_fixup, lxc, PRIORITY, optional) > > + @$(call install_fixup, lxc, SECTION, base) > > + @$(call install_fixup, lxc, AUTHOR, "Michael Grzeschik <mgr@pengutronix.de>") > > + @$(call install_fixup, lxc, DESCRIPTION, missing) > > + > > + @$(call install_lib, lxc, 0, 0, 0644, liblxc); > > + > > + @$(call install_copy, lxc, 0, 0, 0644, /var/lib/lxc); > > + @$(call install_copy, lxc, 0, 0, 0644, /usr/lib/lxc/rootfs); > > + > > + @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/config); > > + > > +ifdef PTXCONF_LXC_SELINUX > > + @$(call install_tree, lxc, 0, 0, -, /usr/share/lxc/selinux); > > +endif > > + > > + @$(call install_alternative, lxc, 0, 0, 0644, /etc/lxc/default.conf); > > + @$(call install_alternative, lxc, 0, 0, 0644, /etc/default/lxc-net); > > + > > + @$(call install_copy, lxc, 0, 0, 0644, -, /etc/default/lxc) > > + > > + @$(foreach app, $(LXC_APPLICATIONS), \ > > + $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-$(app), \ > > + /usr/bin/lxc-$(app))$(ptx/nl)) > > + > > + @$(foreach app, \ > > + containers \ > > + net \ > > + apparmor-load \ > > + user-nic \ > > + monitord, \ > > define a variable above. ok > > + $(call install_copy, lxc, 0, 0, 0755, -, \ > > + /usr/libexec/lxc/lxc-$(app))$(ptx/nl)) > > + > > +# This is needed by /usr/libexec/lxc/lxc-net > > + @$(call install_copy, lxc, 0, 0, 0755, \ > > + $(PTXDIST_SYSROOT_TOOLCHAIN)/usr/bin/getent, /usr/bin/getent) > > No. Create a option for glibc and select it. ok > > + > > +ifdef PTXCONF_LXC_TEST_TOOLS > > + @$(foreach app, $(LXC_TEST_TOOLS), \ > > + $(call install_copy, lxc, 0, 0, 0755, $(LXC_PKGDIR)/usr/bin/lxc-test-$(app), \ > > + /usr/bin/lxc-tests/$(app))$(ptx/nl)) > > +endif > > + > > +ifdef PTXCONF_LXC_SYSTEMD_UNIT > > + @$(foreach rule, \ > > + lxc.service \ > > + lxc@.service \ > > + lxc-net.service, \ > > + $(call install_copy, lxc, 0, 0, 0644, -, \ > > + /usr/lib/systemd/system/$(rule))$(ptx/nl)) > > + > > + @$(foreach rule, \ > > + lxc.service \ > > + lxc@.service \ > > + lxc-net.service, \ > > + $(call install_link, lxc, ../$(rule), \ > > + /usr/lib/systemd/system/multi-user.target.wants/$(rule))$(ptx/nl)) > > don't loop for 3 files. ok > > +endif > > + > > + @$(call install_finish, lxc) > > + > > + @$(call touch) > > + > > +# vim: syntax=make > > -- > > 2.18.0 > > > > > > _______________________________________________ > > ptxdist mailing list > > ptxdist@pengutronix.de > > -- > Pengutronix e.K. | | > Industrial Linux Solutions | http://www.pengutronix.de/ | > Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 91 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-08-31 9:38 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-08-30 7:35 [ptxdist] [PATCH v3] lxc: add new package Michael Grzeschik 2018-08-30 14:10 ` Michael Olbrich 2018-08-31 9:38 ` Michael Grzeschik
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox