- 20 Mar, 2017 23 commits
-
-
Harald Dunkel authored
Signed-off-by:Harald Dunkel <harald.dunkel@aixigo.de>
-
Christian Brauner authored
Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Serge Hallyn authored
Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which allows syscall '-1' (nop) to be executed. Without that flag, debuggers cannot skip system calls inside containers. For reference, see the seccomp(2) manpage, which says: The tracer can skip the system call by changing the system call number to -1. and see the seccomp issue #80 Signed-off-by:Serge Hallyn <serge@hallyn.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
The conversion algorithm used uses a clever trick by letting a year start at 1 March. So we need to add 1 for January and February. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Evgeni Golov authored
Signed-off-by:Evgeni Golov <evgeni@debian.org>
-
Matt Keeler authored
Previously this hook did not work when cloning containers using an overlayfs snapshot as the LXC_ROOTFS_PATH didn't point to the actual filesystem that the container would see. LXC_ROOTFS_MOUNT should be used instead and in fact lxc.container.conf man page says that you usually would want to use the _MOUNT variant. Signed-off-by:Matt Keeler <mjkeeler7@gmail.com>
-
McCabe, Robert J authored
This allows us to run LXC containers from within docker Signed-off-by:McCabe, Robert J <Robert.McCabe@rockwellcollins.com>
-
Tycho Andersen authored
The rest of the mounts can be restored normally. Signed-off-by:Tycho Andersen <tycho.andersen@canonical.com>
-
Fabrice Fontaine authored
Currently it is impossible to build lxc with --disable-capabilities if the user has libcap-dev installed on his system as: - calls to cap_xxx functions are not protected by HAVE_LIBCAP defines. The whole file is only protected by HAVE_SYS_CAPABILITY_H. - AC_CHECK_LIB default action-if-found is overriden by [true] so HAVE_LIBCAP is never written to config.h This patch replaces all HAVE_SYS_CAPABILITY_H checks by HAVE_LIBCAP checks (fix #1361) Signed-off-by:Fabrice Fontaine <fontaine.fabrice@gmail.com>
-
Adam Borowski authored
Without this patch, x32 guests (and no others) worked "natively" with x32 host lxc, but not on regular amd64 hosts. That was especially problematic as a number of ioctls such as those needed by netfilter don't work in such scenarios, thus you want to run amd64 on the host. With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts. Despite x32 being little used, there's no reason to deny it by default: the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on Debian) boot with syscall.x32=y. If they've done so, it is a reasonable assumption they want x32 guests. Signed-off-by:Adam Borowski <kilobyte@angband.pl>
-
Carsten Brandt authored
I found that even though the service lxc-net failed to start because I made some wrong configuration settings the command exists zero. So systemd reports the status of the service as good even though it failed: # service lxc-net status ● lxc-net.service - LXC network bridge setup Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled) Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS) Main PID: 529 (code=exited, status=0/SUCCESS) CGroup: /system.slice/lxc-net.service Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup... Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net. Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup. Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure. Signed-off-by:Carsten Brandt <mail@cebe.cc>
-
Thomas Jarosch authored
Prevent an endless loop while executing lxc-attach in the background: The kernel might fire SIGTTOU while an ioctl() in tcsetattr() is executed. When the ioctl() is resumed and retries, the signal handler interrupts it again. We can't configure the TTY to stop sending the signals in the first place since that is a modification/write to the TTY already. Still we clear the TOSTOP flag to prevent further signals. Command to reproduce the hang: ---------------------------- cat > lxc_hang.sh << EOF /usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true EOF sh lxc_hang.sh # hangs ---------------------------- Signed-off-by:Thomas Jarosch <thomas.jarosch@intra2net.com>
-
Christian Brauner authored
Signed-off-by: -
Tycho Andersen authored
Signed-off-by: -
Tycho Andersen authored
Closes #1407 Signed-off-by: -
Maxime Besson authored
Signed-off-by:Maxime Besson <maxime.besson@smile.fr>
-
Brett Neumeier authored
There is no guard clause around a reference to CAP_EFFECTIVE and CAP_SETGID, causing compilation to fail if sys/capability.h is not available. Signed-off-by:Brett Neumeier <brett@neumeier.us>
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 07 Mar, 2017 1 commit
-
-
Christian Brauner authored
Before this commit, lxc-user-nic could potentially have been tricked into operating on a network namespace over which the caller did not hold privilege. This commit ensures that the caller is privileged over the network namespace by temporarily dropping privilege. Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676Reported-by:
Jann Horn <jannh@google.com> Signed-off-by:
-
- 27 Jan, 2017 1 commit
-
-
Colin Watson authored
On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as follows: Traceback (most recent call last): File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user File "/usr/lib/python3.2/subprocess.py", line 515, in check_output File "/usr/lib/python3.2/subprocess.py", line 732, in __init__ LookupError: unknown encoding: ANSI_X3.4-1968 This is because `universal_newlines=True` causes `subprocess` to use `io.TextIOWrapper`, and in versions of Python earlier than 3.3 that fetched the preferred encoding using `locale.getpreferredencoding()` rather than `locale.getpreferredencoding(False)`, thereby changing the locale and causing codecs to be reloaded. However, `attach_as_user` runs inside the container and thus can't rely on having access to the same Python standard library on disk. The workaround is to decode by hand instead, avoiding the temporary change of locale. Signed-off-by:Colin Watson <cjwatson@ubuntu.com>
-
- 23 Jan, 2017 2 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Sergei Trofimovich authored
Before the change build failed on Gentoo as: bdev/lxclvm.c: In function 'lvm_detect': bdev/lxclvm.c:140:4: error: implicit declaration of function 'major' [-Werror=implicit-function-declaration] major(statbuf.st_rdev), minor(statbuf.st_rdev)); ^~~~~ bdev/lxclvm.c:140:28: error: implicit declaration of function 'minor' [-Werror=implicit-function-declaration] major(statbuf.st_rdev), minor(statbuf.st_rdev)); ^~~~~ glibc plans to remove <sys/sysmacros.h> from glibc's <sys/types.h>: https://sourceware.org/ml/libc-alpha/2015-11/msg00253.html Gentoo already applied glibc patch to experimental glibc-2.24 to start preparingfor the change. Autoconf has AC_HEADER_MAJOR to find out which header defines reqiured macros: https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Headers.html This change should also increase portability across other libcs. Bug: https://bugs.gentoo.org/604360Signed-off-by:Sergei Trofimovich <siarheit@google.com>
-
- 18 Jan, 2017 6 commits
-
-
Evgeni Golov authored
otherwise init might try to start the containers before cgroupfs was mounted. Debian-Bug: https://bugs.debian.org/850212Signed-off-by:
-
Christian Brauner authored
We do not check here whether the container is defined, because we support volatile containers. Which means the container does not need to be created for it to be started. You can just pass a configuration file as argument and start the container right away. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
lxc_execute() and lxc-execute where broken when a user tried to switch to a non-root uid/gid. This prevented necessary setup operations like mounting the rootfs which require root in the user namespace. This commit separates switching to root in the user namespace from switching to the requested uid/gid by lxc_execute(). This should be safe: Once we switched to root in the user namespace via setuid() and then switch to a non-root uid/gid in the user namespace for lxc_execute() via setuid() we cannot regain root privileges again. So we can only make us safer (Unless I forget about some very intricate user namespace nonsense; which is not as unlikely as I try to make it sound.). Signed-off-by: -
Christian Brauner authored
This commit adds lxc_switch_uid_gid() which allows to switch the uid and gid of a process via setuid() and setgid() and lxc_setgroups() which allows to set groups via setgroups(). The main advantage is that they nicely log the switches they perform. Signed-off-by:
-
- 05 Jan, 2017 4 commits
-
-
Christian Brauner authored
On some Android systems the lxc folders where containers are stored might be read-only and so checking for O_RDWR, will effectively make the tools useless on these systems, so let's dumb the check down to O_RDONLY. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Po-Hsu Lin authored
The api_test.py script uses Trusty release by default, which does not have s390x image. Switch to Xenial to solve this. Signed-off-by:Po-Hsu Lin <po-hsu.lin@canonical.com>
-
Christian Brauner authored
We need to remove the newline otherwise lxc_safe_uint() will fail as it detects an invalid (non-numeric) char in the string. Signed-off-by:
-
- 03 Jan, 2017 3 commits
-
-
Christian Brauner authored
This mainly affects Trusty. The 3.13 kernel has a broken overlay module which does not handle symlinks correctly. This is a problem for containers that use an overlay based rootfs since safe_mount() uses /proc/<pid>/fd/<fd-number> in its calls to mount(). Signed-off-by: -
Fabrice Fontaine authored
Previously HAVE_LIBGNUTLS was never set in config.h even if gnutls was detected as AC_CHECK_LIB default action-if-found was overriden by enable_gnutls=yes This patch adds an --enable-gnutls option and will call AC_CHECK_LIB with the default action to write HAVE_LIBGNUTLS in config.h Signed-off-by:Fabrice Fontaine <fabrice.fontaine@orange.com>
-
Evgeni Golov authored
Given commit 330ae3d3: lxccontainer: detect if we should send SIGRTMIN+3 This is required by systemd to cleanly shutdown. Other init systems should not have SIGRTMIN+3 in the blocked signals set. we should stop poking around with sigpwr.target for systemd. Signed-off-by:
-
