- 27 Jun, 2014 2 commits
-
-
Alexander Vladimirov authored
Update container's /etc/securetty to allow console logins when lxc.devttydir is not empty. Also use config entries provided by shared and common configuration files. Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Alexander Vladimirov authored
Shuffle around usage text a bit and add missing -d while there. Signed-off-by:
-
- 25 Jun, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com>
-
- 24 Jun, 2014 4 commits
-
-
Stéphane Graber authored
This is a rather massive cleanup of config/templates/* As new templates were added, I've noticed that we pretty much all share the tty/pts configs, some capabilities being dropped and most of the cgroup configuration. All the userns configs were also almost identical. As a result, this change introduces two new files: - common.conf.in - userns.conf.in Each is included by the relevant <template>.<type>.conf.in templates, this means that the individual per-template configs are now overlays on top of the default config. Once we see a specific key becoming popular, we ought to check whether it should also be applied to the other templates and if more than 50% of the templates have it set to the same value, that value ought to be moved to the master config file and then overriden for the templates that do not use it. This change while pretty big and scary, shouldn't be very visible from a user point of view, the actual changes can be summarized as: - Extend clonehostname to work with Debian based distros and use it for all containers. - lxc.pivotdir is now set to lxc_putold for all templates, this means that instead of using /mnt in the container, lxc will create and use /lxc_putold instead. The reason for this is to avoid failures when the user bind-mounts something else on top of /mnt. - Some minor cgroup limit changes, the main one I remember is /dev/console now being writable by all of the redhat based containers. The rest of the set should be identical with additions in the per-distro ones. - Drop binfmtmisc and efivars bind-mounts for non-mountall based unpriivileged containers as I assumed they got those from copy/paste from Ubuntu and not because they actually need those entries. (If I'm wrong, we probably should move those to userns.conf then). Additional investigation and changes to reduce the config delta between distros would be appreciated. In practice, I only expect lxc.cap.drop and lxc.mount.entry to really vary between distros (depending on the init system, the rest should be mostly common. Diff from the RFC: - Add archlinux to the mix - Drop /etc/hostname from the clone hook Signed-off-by:
-
Alexander Vladimirov authored
write_config doesn't check the value sig_name function returns, this causes write_config to produce corrupted container config when using non-predefined signal names. Signed-off-by:
-
Alexander Vladimirov authored
Move common container configuration entries into template config. Remove unnecessary service symlinking and configuration entries, as well as guest configs and other redundant configuration, fix minor script bugs. Clean up template command line, add -d option to allow disabling services. Also enable getty's on all configured ttys to allow logins via lxc-console, set lxc.tty value corresponding to default Arch /etc/securetty configuration. This patch simplifies Arch Linux template a bit, while fixing some longstanding issues. It also provides common configuration based on files provided for Fedora templates. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 7035407cSigned-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
- 23 Jun, 2014 2 commits
-
-
Dwight Engen authored
Note that building init.lxc.static still requires a static libutil.a and libpthread.a, but these are available on most distro's through glibc-static. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
Serge Hallyn authored
Signed-off-by:
-
- 20 Jun, 2014 10 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by:
-
Serge Hallyn authored
When calling seccomp_rule_add(), you must pass the native syscall number even if the context is a 32-bit context. So use resolve_name rather than resolve_name_arch. Enhance the check of /proc/self/status for Seccomp: so that we do not enable seccomp policies if seccomp is not built into the kernel. This is needed before we can enable by-default seccomp policies (which we want to do next) Fix wrong return value check from seccomp_arch_exist, and remove needless abstraction in arch handling. Signed-off-by:
-
Serge Hallyn authored
seccomp_ctx is already a void*, so don't use 'scmp_filter_ctx *' Separately track the native arch from the arch a rule is aimed at. Clearly ignore irrelevant architectures (i.e. arm rules on x86) Don't try to load seccomp (and don't fail) if we are already seccomp-confined. Otherwise nested containers fail. Make it clear that the extra seccomp ctx is only for compat calls on 64-bit arch. (This will be extended to arm64 when libseccomp supports it). Power may will complicate this (if ever it is supported) and require a new rethink and rewrite. NOTE - currently when starting a 32-bit container on 64-bit host, rules pertaining to 32-bit syscalls (as opposed to once which have the same syscall #) appear to be ignored. I can reproduce that without lxc, so either there is a bug in seccomp or a fundamental misunderstanding in how I"m merging the contexts. Rereading the seccomp_rule_add manpage suggests that keeping the seccond seccomp context may not be necessary, but this is not something I care to test right now. If it's true, then the code could be simplified, and it may solve my concerns about power. With this patch I'm able to start nested containers (with seccomp policies defined) including 32-bit and 32-bit-in-64-bit. [ this patch does not yet add the default seccomp policy ] Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
Commit 1fb86a7c introduced a way to drop capabilities without having to specify them all explicitly. Unfortunately, there is no way to drop them all, as just specifying an empty keep list, ie: lxc.cap.keep = clears the keep list, causing no capabilities to be dropped. This change allows a special value "none" to be given, which will clear all keep capabilities parsed up to this point. If the last parsed value is none, all capabilities will be dropped. Signed-off-by:
-
Dwight Engen authored
Commit 0af683cf added clearing of capabilities to lxc-init, but only after lxc_setup_fs() was done, likely so that the mounting done in that routine wouldn't fail. However, in my testing lxc_caps_reset() wasn't really effective anyway since it did not clear the bounding set. Adding prctl PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I don't think its necessary to forcefully clear all capabilities since users can now specify lxc.cap.keep = none to drop all capabilities. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 18aa217bSigned-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 18 Jun, 2014 11 commits
-
-
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
Stéphane Graber authored
OpenSUSE is now ready for the download template in the master branch, however it's not going to be compatible with older LXC as they lack the needed config files, so bump the compat level to 2 to indicate that the current lxc-download can deal with the current OpenSUSE containers. Signed-off-by: -
Serge Hallyn authored
Originally we kept snapshots under /var/lib/lxcsnaps. If a separate btrfs is mounted at /var/lib/lxc, then we can't make btrfs snapshots under /var/lib/lxcsnaps. This patch moves the default directory to /var/lib/lxc/c/snaps. If /var/lib/lxcsnaps already exists, then we continue to use that. add c->destroy_with_snapshots() and c->snapshot_destroy_all() API methods. c->snashot_destroy_all() can be triggered from lxc-snapshot using '-d ALL'. There is no command to call c->destroy_with_snapshots(c) as of yet. lxclock: use ".$lxcname" for container lock files that way we can use /run/lock/lxc/$lxcpath/$lxcname/snaps as a directory when locking snapshots without having to worry about /run/lock//lxc/$lxcpath/$lxcname being a file. destroy: split off a container_destroy container_destroy() doesn't check for snapshots, so snapshot_rename can use it. api_destroy() now does check for snapshots (previously it only checked for fs - i.e. overlayfs/aufs - snapshots). Add destroy to the manpage, as it was previously undocumented. Update snapshot testcase accordingly. [ rebased in the face of commits 840f05df and 7e36f87e. ] Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Any config lines not starting with 'lxc.*' are ignored by lxc. That can be useful for third party tools, however lxc-clone does not copy such lines. Fix that by tracking such lines in our unexpanded config file and printing them out at write_config(). Note two possible shortcomings here: 1. we always print out all includes followed by all aliens. They are not kept in order, nor ordered with respect to lxc.* lines. 2. we're still not storing comments. these could easily be added to the alien lines, but i chose not to in particular since comments are usually associated with other lines, so destroying the order would destroy their value. I could be wrong about that, and if I am it's a trivial fix. Signed-off-by:
-
Serge Hallyn authored
Currently when a container's configuration file has lxc.includes, any future write_config() will expand the lxc.includes. This affects container clones (and snapshots) as well as users of the API who make an update and then c.save_config(). To fix this, separately track the expanded and unexpanded lxc_conf. The unexpanded conf does not contain values read from lxc.includes. The expanded conf does. Lxc functions mainly need the expanded conf to figure out how to configure the container. The unexpanded conf is used at write_config(). Signed-off-by:
-
Michael H. Warfield authored
Updated the lxc-opensuse template for the changes for the common configuration used by the download template. Changed the default network mode in the container to dhcp. Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Acked-by:
-
Serge Hallyn authored
If a syscall is listed which is not resolvable, continue. This allows us to keep a more complete list of syscalls in a global seccomp policy without having to worry about older kernels not supporting the newer syscalls. Signed-off-by:
-
Leonid Isaev authored
Signed-off-by:
Leonid Isaev <lisaev@umail.iu.edu> Acked-by:
-
- 17 Jun, 2014 1 commit
-
-
Stéphane Graber authored
-P was only used for log setup and not when retrieving the container list. Signed-off-by:
-
- 14 Jun, 2014 3 commits
-
-
Stéphane Graber authored
The use of the download template with an hardcoded --arch=amd64 in aa.c was causing test failures on any platform incapable of running amd64 binaries. This wasn't noticed in the CI environment as we run the tests within containers on an amd64 kernel but this caused failures on the Ubuntu CI environment. Instead, let's use the busybox template, tweaking the configuration when needed to match the needs of the testcase. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Some error messages in lxc-test-apparmor didn't end with a newline, leading to slightly difficult to read output. Signed-off-by:
-
- 10 Jun, 2014 3 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
lxc-test-autostart occasionaly fails at the restart test in the CI environment. Looking at the current test case, the most obvious race there is if lxc-wait exists succesfuly immediately after LXC marked the container RUNNING (init spawned) but before init had a chance to setup the signal handlers. To avoid this potential race period, let's add a 5s delay between the tests to give a chance for init to finish starting up. Signed-off-by:
-
Serge Hallyn authored
Do so early enough that we can report a meaningful failure. (This should fix https://github.com/lxc/lxc/issues/225) Signed-off-by:
-
- 09 Jun, 2014 1 commit
-
-
Stéphane Graber authored
This makes sure all PyObject structs are always initialized to NULL, this will fix issues such as (issue #239). Also add a snapshot/list/restore testcase to the python3 api test code. Signed-off-by:
-
- 05 Jun, 2014 2 commits
-
-
KATOH Yasufumi authored
Signed-off-by:
-
KATOH Yasufumi authored
Update lxc-autostart(1) and lxc.container.conf(5) for commit 015f0dd7. Signed-off-by:
-
