[pve-devel] [RFC container] config: update for lxc-2.1
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Sep 6 17:12:01 CEST 2017
On Wed, Sep 06, 2017 at 05:09:16PM +0200, Wolfgang Bumiller wrote:
> With 2.1 a bunch of keys were renamed for consistency, and
> network interface configuration is now done with explicit
> indices.
>
> Since we allow various custom "lxc.*" keys in our container
> configuration we need to deal with this change and we now
> inform the user about this with a warning.
> ---
> debian/control | 2 +-
> src/PVE/LXC.pm | 32 ++++++++-------
> src/PVE/LXC/Config.pm | 105 ++++++++++++++++++++++++++++++++++----------------
> 3 files changed, 88 insertions(+), 51 deletions(-)
>
> diff --git a/debian/control b/debian/control
> index e9c7364..01121c6 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -2,7 +2,7 @@ Source: pve-container
> Section: perl
> Priority: extra
> Maintainer: Proxmox Support Team <support at proxmox.com>
> -Build-Depends: debhelper (>= 7.0.50~), libpve-common-perl, libpve-guest-common-perl | libpve-common-perl (<= 4.0-89), libpve-storage-perl, pve-cluster (>= 4.0-8), libtest-mockmodule-perl, pve-doc-generator, lxc | lxc-pve
> +Build-Depends: debhelper (>= 7.0.50~), libpve-common-perl, libpve-guest-common-perl | libpve-common-perl (<= 4.0-89), libpve-storage-perl, pve-cluster (>= 4.0-8), libtest-mockmodule-perl, pve-doc-generator, lxc (>= 2.1.0-1) | lxc-pve (>= 2.1.0-1)
> Standards-Version: 3.8.4
>
> Package: pve-container
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 241c5b2..7e5d77e 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -349,7 +349,7 @@ sub update_lxc_config {
> $raw .= "lxc.arch = $conf->{arch}\n";
>
> my $unprivileged = $conf->{unprivileged};
> - my $custom_idmap = grep { $_->[0] eq 'lxc.id_map' } @{$conf->{lxc}};
> + my $custom_idmap = grep { $_->[0] eq 'lxc.idmap' } @{$conf->{lxc}};
>
> my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
>
> @@ -371,23 +371,23 @@ sub update_lxc_config {
>
> # Should we read them from /etc/subuid?
> if ($unprivileged && !$custom_idmap) {
> - $raw .= "lxc.id_map = u 0 100000 65536\n";
> - $raw .= "lxc.id_map = g 0 100000 65536\n";
> + $raw .= "lxc.idmap = u 0 100000 65536\n";
> + $raw .= "lxc.idmap = g 0 100000 65536\n";
> }
>
> if (!PVE::LXC::Config->has_dev_console($conf)) {
> - $raw .= "lxc.console = none\n";
> + $raw .= "lxc.console.path = none\n";
> $raw .= "lxc.cgroup.devices.deny = c 5:1 rwm\n";
> }
>
> my $ttycount = PVE::LXC::Config->get_tty_count($conf);
> - $raw .= "lxc.tty = $ttycount\n";
> + $raw .= "lxc.tty.max = $ttycount\n";
>
> # some init scripts expect a linux terminal (turnkey).
> $raw .= "lxc.environment = TERM=linux\n";
>
> my $utsname = $conf->{hostname} || "CT$vmid";
> - $raw .= "lxc.utsname = $utsname\n";
> + $raw .= "lxc.uts.name = $utsname\n";
>
> my $memory = $conf->{memory} || 512;
> my $swap = $conf->{swap} // 0;
> @@ -412,33 +412,30 @@ sub update_lxc_config {
>
> my $mountpoint = PVE::LXC::Config->parse_ct_rootfs($conf->{rootfs});
>
> - $raw .= "lxc.rootfs = $dir/rootfs\n";
> + $raw .= "lxc.rootfs.path = $dir/rootfs\n";
>
> my $netcount = 0;
> foreach my $k (sort keys %$conf) {
> next if $k !~ m/^net(\d+)$/;
> my $ind = $1;
> my $d = PVE::LXC::Config->parse_lxc_network($conf->{$k});
> + $raw .= "lxc.net.$netcount.type = veth\n";
> + $raw .= "lxc.net.$netcount.veth.pair = veth${vmid}i${ind}\n";
> + $raw .= "lxc.net.$netcount.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
> + $raw .= "lxc.net.$netcount.name = $d->{name}\n" if defined($d->{name});
> + $raw .= "lxc.net.$netcount.mtu = $d->{mtu}\n" if defined($d->{mtu});
> $netcount++;
> - $raw .= "lxc.network.type = veth\n";
> - $raw .= "lxc.network.veth.pair = veth${vmid}i${ind}\n";
> - $raw .= "lxc.network.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
> - $raw .= "lxc.network.name = $d->{name}\n" if defined($d->{name});
> - $raw .= "lxc.network.mtu = $d->{mtu}\n" if defined($d->{mtu});
> }
>
> my $had_cpuset = 0;
> if (my $lxcconf = $conf->{lxc}) {
> foreach my $entry (@$lxcconf) {
> my ($k, $v) = @$entry;
> - $netcount++ if $k eq 'lxc.network.type';
> $had_cpuset = 1 if $k eq 'lxc.cgroup.cpuset.cpus';
> $raw .= "$k = $v\n";
> }
> }
>
> - $raw .= "lxc.network.type = empty\n" if !$netcount;
> -
> my $cores = $conf->{cores};
> if (!$had_cpuset && $cores) {
> my $cpuset = eval { PVE::CpuSet->new_from_cgroup('lxc', 'effective_cpus') };
> @@ -1475,7 +1472,8 @@ sub parse_id_maps {
> my $lxc = $conf->{lxc};
> foreach my $entry (@$lxc) {
> my ($key, $value) = @$entry;
> - next if $key ne 'lxc.id_map';
> + # FIXME: remove the 'id_map' variant when lxc-3.0 arrives
> + next if $key ne 'lxc.idmap' && $key ne 'lxc.id_map';
> if ($value =~ /^([ug])\s+(\d+)\s+(\d+)\s+(\d+)\s*$/) {
> my ($type, $ct, $host, $length) = ($1, $2, $3, $4);
> push @$id_map, [$type, $ct, $host, $length];
> @@ -1484,7 +1482,7 @@ sub parse_id_maps {
> $rootgid = $host if $type eq 'g';
> }
> } else {
> - die "failed to parse id_map: $value\n";
> + die "failed to parse idmap: $value\n";
> }
> }
>
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index e76d558..ef95038 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -412,49 +412,37 @@ my $confdesc = {
> };
>
> my $valid_lxc_conf_keys = {
> + 'lxc.apparmor.profile' => 1,
> + 'lxc.apparmor.allow_incomplete' => 1,
> + 'lxc.selinux.context' => 1,
> 'lxc.include' => 1,
> 'lxc.arch' => 1,
> - 'lxc.utsname' => 1,
> - 'lxc.haltsignal' => 1,
> - 'lxc.rebootsignal' => 1,
> - 'lxc.stopsignal' => 1,
> - 'lxc.init_cmd' => 1,
> - 'lxc.network.type' => 1,
> - 'lxc.network.flags' => 1,
> - 'lxc.network.link' => 1,
> - 'lxc.network.mtu' => 1,
> - 'lxc.network.name' => 1,
> - 'lxc.network.hwaddr' => 1,
> - 'lxc.network.ipv4' => 1,
> - 'lxc.network.ipv4.gateway' => 1,
> - 'lxc.network.ipv6' => 1,
> - 'lxc.network.ipv6.gateway' => 1,
> - 'lxc.network.script.up' => 1,
> - 'lxc.network.script.down' => 1,
> - 'lxc.pts' => 1,
> + 'lxc.uts.name' => 1,
> + 'lxc.signal.halt' => 1,
> + 'lxc.signal.reboot' => 1,
> + 'lxc.signal.stop' => 1,
> + 'lxc.init.cmd' => 1,
> + 'lxc.pty.max' => 1,
> 'lxc.console.logfile' => 1,
> - 'lxc.console' => 1,
> - 'lxc.tty' => 1,
> - 'lxc.devttydir' => 1,
> + 'lxc.console.path' => 1,
> + 'lxc.tty.max' => 1,
> + 'lxc.devtty.dir' => 1,
> 'lxc.hook.autodev' => 1,
> 'lxc.autodev' => 1,
> 'lxc.kmsg' => 1,
> - 'lxc.mount' => 1,
> + 'lxc.mount.fstab' => 1,
> 'lxc.mount.entry' => 1,
> 'lxc.mount.auto' => 1,
> - 'lxc.rootfs' => 'lxc.rootfs is auto generated from rootfs',
> + 'lxc.rootfs.path' => 'lxc.rootfs.path is auto generated from rootfs',
> 'lxc.rootfs.mount' => 1,
> 'lxc.rootfs.options' => 'lxc.rootfs.options is not supported' .
> ', please use mount point options in the "rootfs" key',
> # lxc.cgroup.*
> - # lxc.limit.*
> + # lxc.prlimit.*
> 'lxc.cap.drop' => 1,
> 'lxc.cap.keep' => 1,
> - 'lxc.aa_profile' => 1,
> - 'lxc.aa_allow_incomplete' => 1,
> - 'lxc.se_context' => 1,
> - 'lxc.seccomp' => 1,
> - 'lxc.id_map' => 1,
> + 'lxc.seccomp.profile' => 1,
> + 'lxc.idmap' => 1,
> 'lxc.hook.pre-start' => 1,
> 'lxc.hook.pre-mount' => 1,
> 'lxc.hook.mount' => 1,
> @@ -463,8 +451,8 @@ my $valid_lxc_conf_keys = {
> 'lxc.hook.post-stop' => 1,
> 'lxc.hook.clone' => 1,
> 'lxc.hook.destroy' => 1,
> - 'lxc.loglevel' => 1,
> - 'lxc.logfile' => 1,
> + 'lxc.log.level' => 1,
> + 'lxc.log.file' => 1,
> 'lxc.start.auto' => 1,
> 'lxc.start.delay' => 1,
> 'lxc.start.order' => 1,
> @@ -472,6 +460,57 @@ my $valid_lxc_conf_keys = {
> 'lxc.environment' => 1,
> };
>
> +my $deprecated_lxc_conf_keys = {
> + # Deprecated (removed with lxc 3.0):
> + 'lxc.aa_profile' => 'lxc.apparmor.profile',
> + 'lxc.aa_allow_incomplete' => 'lxc.apparmor.allow_incomplete',
> + 'lxc.console' => 'lxc.console.path',
> + 'lxc.devttydir' => 'lxc.tty.dir',
> + 'lxc.haltsignal' => 'lxc.signal.halt',
> + 'lxc.rebootsignal' => 'lxc.signal.reboot',
> + 'lxc.stopsignal' => 'lxc.signal.stop',
> + 'lxc.id_map' => 'lxc.idmap',
> + 'lxc.init_cmd' => 'lxc.init.cmd',
> + 'lxc.loglevel' => 'lxc.log.level',
> + 'lxc.logfile' => 'lxc.log.file',
> + 'lxc.mount' => 'lxc.mount.fstab',
> + 'lxc.network.type' => 'lxc.net.INDEX.type',
> + 'lxc.network.flags' => 'lxc.net.INDEX.flags',
> + 'lxc.network.link' => 'lxc.net.INDEX.link',
> + 'lxc.network.mtu' => 'lxc.net.INDEX.mtu',
> + 'lxc.network.name' => 'lxc.net.INDEX.name',
> + 'lxc.network.hwaddr' => 'lxc.net.INDEX.hwaddr',
> + 'lxc.network.ipv4' => 'lxc.net.INDEX.ipv4.address',
> + 'lxc.network.ipv4.gateway' => 'lxc.net.INDEX.ipv4.gateway',
> + 'lxc.network.ipv6' => 'lxc.net.INDEX.ipv6.address',
> + 'lxc.network.ipv6.gateway' => 'lxc.net.INDEX.ipv6.gateway',
> + 'lxc.network.script.up' => 'lxc.net.INDEX.script.up',
> + 'lxc.network.script.down' => 'lxc.net.INDEX.script.down',
> + 'lxc.pts' => 'lxc.pty.max',
> + 'lxc.se_context' => 'lxc.selinux.context',
> + 'lxc.seccomp' => 'lxc.seccomp.profile',
> + 'lxc.tty' => 'lxc.tty.max',
> + 'lxc.utsname' => 'lxc.uts.name',
> +};
> +
> +sub is_valid_lxc_conf_key {
> + my ($vmid, $key) = @_;
> + if ($key =~ /^lxc\.limit\./) {
> + warn "vm $vmid - $key: lxc.limit.* was renamed to lxc.prlimit.*\n";
> + return 1;
> + }
> + if (defined(my $new_name = $deprecated_lxc_conf_keys->{$key})) {
> + warn "vm $vmid - $key is deprecated and was renamed to $new_name\n";
> + return 1;
> + }
> + my $validity = $valid_lxc_conf_keys->{$key};
> + return $validity if defined($validity);
> + return 1 if $key =~ /^lxc\.cgroup\./ # allow all cgroup values
> + || $key =~ /^lxc\.prlimit\./ # allow all prlimits
> + || $key =~ /^lxc\.net\./; # allow custom network definitions
> + return undef;
And this should be `return 0;`...
> +}
> +
> our $netconf_desc = {
> type => {
> type => 'string',
> @@ -667,8 +706,8 @@ sub parse_pct_config {
> if ($line =~ m/^(lxc\.[a-z0-9_\-\.]+)(:|\s*=)\s*(.*?)\s*$/) {
> my $key = $1;
> my $value = $3;
> - my $validity = $valid_lxc_conf_keys->{$key} || 0;
> - if ($validity eq 1 || $key =~ m/^lxc\.(?:cgroup|limit)\./) {
> + my $validity = is_valid_lxc_conf_key($vmid, $key);
> + if ($validity eq 1) {
> push @{$conf->{lxc}}, [$key, $value];
> } elsif (my $errmsg = $validity) {
> warn "vm $vmid - $key: $errmsg\n";
> --
> 2.11.0
More information about the pve-devel
mailing list