- 12 Feb, 2014 18 commits
-
-
Serge Hallyn authored
Also don't use arm arch if not defined This *should* fix build so precise, but I didn't fire one off. I did test that builds with libseccomp2 still work as expected. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Stéphane Graber authored
- Run on distro without lsb_release - Don't try and interpret with_runtime_path as a command - Don't print stuff on screen while in the middle of a check Signed-off-by: -
Stéphane Graber authored
Now that we depend on seccomp2, the backport currently in precise is too old to allow for a succesful build, so instead use ppa:ubuntu-lxc/daily which contains recent versions of all needed build-dependencies. Signed-off-by: -
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
v2 allows specifying system calls by name, and specifying architecture. A policy looks like: 2 whitelist open read write close mount [x86] open read Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31) - which confusingly returns 'EMLINK' on x86_64. Note this change is also done for v1 as I think it is worthwhile. With this patch, I can in fact use a seccomp policy like: 2 blacklist mknod errno 0 after which 'sudo mknod null c 1 3' silently succeeds without creating the null device. changelog v2: add blacklist support support default action support per-rule action Signed-off-by:
-
Stéphane Graber authored
This is pretty much copy/paste from overlayfs. Signed-off-by:
-
Stéphane Graber authored
Travis has now corrected the bug in their build environment so we no longer need to force the autogen script through bash. Signed-off-by: -
Stéphane Graber authored
This allows running lxc-start-ephemeral using overlayfs. aufs remains blocked as it hasn't been looked at and patched to work in the kernel at this point (not sure if it ever wil). Signed-off-by:
-
Serge Hallyn authored
The previous check for access to rootfs->path failed in the case of overlayfs or loop backign stores. Instead just check early on for access to lxcpath. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
If on Ubuntu, then match the host's own architecture, this should allow for our tests to pass on the armhf CI environment. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 11 Feb, 2014 5 commits
-
-
Serge Hallyn authored
Also make sure to chown the new rootfs path to the container owner. This is how we make sure that the container root is allowed to write under delta0. Signed-off-by:
-
Stéphane Graber authored
This allows older distros to override /run with whatever their own path is, mostly useful for old RedHat and possibly Android. Reported-by:
Robert Vogelgesang <vogel@users.sourceforge.net> Signed-off-by:
-
Stéphane Graber authored
Reported-by:
-
Serge Hallyn authored
Instead force a copy clone. Else if the user makes a change to the original container, the snapshot will be affected. The user should first create a snapshot clone, then use and snapshot that clone while leaving the original container untouched. Signed-off-by:
-
Serge Hallyn authored
With this patch, if an unprivileged user has $HOME 700 or 750 and does lxc-start -n c1 he'll see an error like: lxc_container: Permission denied - could not access /home/serge. Please grant it 'x' access, or add an ACL for t he container root. (This addresses bug pad.lv/1277466) Signed-off-by:
-
- 10 Feb, 2014 1 commit
-
-
TAMUKI Shoichi authored
- Change redirection of fd 200 to 9 (greater than 9 may conflict with fd the shell uses internally) - Replace numeric line addressing of ed to regular expression to avoid correcting the line addressing at each modification of init scripts - Correct the option order (trivial) Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Signed-off-by:
-
- 08 Feb, 2014 2 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by:
-
- 07 Feb, 2014 6 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
The goal is to avoid an absolute symlink in the guest redirecting us to the host's /dev. Thanks to the libvirt team for considering that possibility! We want to work on kernels which do not support setns, so we simply chroot into the container before doing any rm/mknod. If /dev/vda5 is a symlink to /XXX, or /dev is a symlink to /etc, this is now correctly resolved locally in the chroot. We would have preferred to use realpath() to check that the resolved path is not changed, but realpath across /proc/pid/root does not work as expected. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
This fixes a crash in lxc-autostart following the addition of lxc_log_init as lxc-autostart doesn't use the name property. Signed-off-by:
Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 06 Feb, 2014 8 commits
-
-
Dwight Engen authored
lxc-cgroup doesn't depend on cgmanager Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
The previous change to support http proxies only worked when http_proxy was set... Instead add some detection code and only use :80 when using http_proxy. That's a bit of a workaround, but it's the only way I could find to get GPG to work with http_proxy. Signed-off-by: -
Dwight Engen authored
This op will be used on older kernels where container shutdown via reboot(2) is not implemented and we use the utmp watching code. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by:
-
