- 22 Oct, 2014 3 commits
-
-
Dark Templar authored
I've found one more typo in the gentoo template, configuration in the generated file /etc/conf.d/hostname was not valid, but it didn't impact me due to "lxc.utsname" being set in the configuration file of container and hostname service being not used. Anyway, I've made a patch and sending it with this mail. Signed-off-by:
Dark Templar <dark_templar@hotbox.ru> Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com>
-
Bogdan Purcareata authored
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts for the ttys and other devices. Add this entry in the container config. Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by:
-
Bogdan Purcareata authored
Apply the changes found in templates/lxc-download to the busybox template as well. Change ownership of the config and fstab files to the unprivileged user, and the ownership of the rootfs to root in the new user namespace. Eliminate the "unsupported for userns" flag. Signed-off-by:
-
- 20 Oct, 2014 4 commits
-
-
KATOH Yasufumi authored
>>> On Tue, 30 Sep 2014 19:48:09 +0000 in message "Re: [lxc-devel] [PATCH] lxc-config can show lxc.cgroup.(use|pattern)" Serge Hallyn-san wrote: > I think it would be worth also augmenting > lxc_global_config_value() to return a default lxc.cgroup.use > for 'all', and a default lxc.cgroup.pattern ("/lxc/%n" for root > or "%n" for non-root). lxc.cgroup.pattern is like this? (^_^;) Signed-off-by:KATOH Yasufumi <karma@jazz.email.ne.jp> Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Dark Templar authored
Signed-off-by:
-
Serge Hallyn authored
Check for it when we check for apparmor being enabled, rather than doing it during the middle of a container setup. This avoid the need to try mounting /sys and /sys/kernel/security in the middle of startup, which we may not be allowed to anyway. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com>
-
- 17 Oct, 2014 4 commits
-
-
Serge Hallyn authored
Signed-off-by: -
Tycho Andersen authored
Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by:
-
Tycho Andersen authored
We previously wrote a bunch of files (eth*, veth*, and bridge*) as hard coded files which we used as the names of interfaces to restore via criu's --veth-pair. This meant that if people, e.g. gave a different bridge on their new host, we would use our saved bridge in bridge* and try to restore to the wrong bridge. Instead, we can just generate a new veth id (if the user hasn't provided one), and use whatever the user configured values for the interface name and bridge are. This allows people to switch the bridge that they restore onto simply by migrating the rootfs and config, and then changing the bridge name in the container's configuration before running lxc-checkpoint. Signed-off-by:
-
Tycho Andersen authored
Break the monolithic ->checkpoint and ->restore functions into smaller ones. This is in preparation for the checkpoint/restore tty work, which has a similar need to dump information outside of criu. Signed-off-by:
-
- 15 Oct, 2014 11 commits
-
-
Serge Hallyn authored
The python lxc-device supported adding wlan devices, so add that support as well. Since the python one did not support 'del', I didn't try adding that support, though it should be trivial to add. We should be able to do the wlan adding using netlink, but I went ahead and used 'iw' as the netlink path looked more complicated than it does for other nics. Patches to switch that over would be very welcome. Signed-off-by: -
Serge Hallyn authored
because that's what it does Signed-off-by: -
Dongsheng Yang authored
As there is a function named attach_interface to pass a interface to container now, we do not need to relay on python impolementation for lxc-device any more. changelog: 10/15/2014: serge: fail immediately if run as non-root. changelog: 10/15/2014: serge: add explicit error message on bad usage (fix build failure) Signed-off-by:
Dongsheng Yang <yangds.fnst@cn.fujitsu.com> Acked-by:
-
Dongsheng Yang authored
Changelog: 10/15/2014: serge: make ifname mandatory for detach_interface. Signed-off-by:
-
Dongsheng Yang authored
Currently, we depends on ip command to attach interface to container. It means we only implemented it by python. This patch implement adding and removing interface by c and added them in struct container. Changelog: 10/15/2014 (serge): return error if ifname is NULL. Signed-off-by:
-
Dongsheng Yang authored
Function of enter_to_ns() is useful but currently is static for lxccontainer.c. This patch split it into two parts named as switch_to_newuser() and switch_to_newnet() into utils.c. Signed-off-by:
-
Dongsheng Yang authored
When we need to know some info about a netdev, such as is_up or not, we need to read the flag for the netdev. This patch introduce a interface function named lxc_netdev_isup() to check is a netdev up or down. And introduce a network private function named netdev_get_flag() to get flag for netdev by netlink. Changelog: 10/15/2015: Return failure if name==NULL to avoid later strlen fun Signed-off-by:
-
Dongsheng Yang authored
In netlink, we can set the dest_name of netdev when move netdev between namespaces in one netlink request. And moving a netdev of a src_name to a netdev with a dest_name is a common usecase. So this patch add a parametaer to lxc_network_move_by_index() to indicate the dest_name for the movement. NULL means same with the src_name. Signed-off-by:
-
Dongsheng Yang authored
We should exit with a error when starting a running container. Signed-off-by:
-
Dongsheng Yang authored
When we want to get index of a ifname which does not exist, we should return a -EINVAL in this case. Signed-off-by:
-
Dongsheng Yang authored
We should not modify ifname in lxc_netdev_move_by_name(), making it as const in param list will make our code more robust. Signed-off-by:
-
- 13 Oct, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 09 Oct, 2014 3 commits
-
-
Serge Hallyn authored
the way config_mount was structured, sending 'lxc.mount.auto = ' ended up actually clearing all lxc.mount.entrys. Fix that by moving the check for an empty value to after the subkey checks. Then, actually do the clearing of auto_mounts in config_mount_auto. The 'strlen(subkey)' check being removed was bogus - the subkey either known to be 'lxc.mount.entry', else subkey would have been NULL (and forced a return in the block above). This would have been clearer if the config_mount() and helper fns were structured like the rest of confile.c. It's tempting to switch it over, but there are subtleties in there so it's not something to do without a lot of thought and testing. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
- 08 Oct, 2014 8 commits
-
-
Dwight Engen authored
- RHEL/OL 7 doesn't have the ifconfig command by default so have the lxc-net script check for its existence before use, and fall back to using the ip command if ifconfig is not available - When lxc-net is run from systemd on a system with selinux enabled, the mkdir -p ${varrun} will create /run/lxc as init_var_run_t which dnsmasq can't write its pid into, so we restorecon it after creation (to var_run_t) - The lxc-net systemd .service file needs an [Install] section so that "systemctl enable lxc-net" will work Signed-off-by: -
Tycho Andersen authored
If we don't close these running lxc-checkpoint via: ssh host "sudo lxc-checkpoint ..." just hangs. We leave stderr open so that subesquent errors will print correctly (and also because for whatever reason it doesn't break ssh :). Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com> Signed-off-by: -
Tycho Andersen authored
Previously, we let criu create the cgroups for a container as it was restoring things. In some cases (i.e. migration across hosts), if the container being migrated was in /lxc/u1-3, it would be migrated to the target host in /lxc/u1-3, even if there was no /lxc/u1-2 (or worse, if there was already an alive container in u1-3). Instead, we use lxc's cgroup_create, and then tell criu where to restore to. Signed-off-by:
-
Tycho Andersen authored
On Tue, Oct 07, 2014 at 07:33:07PM +0000, Tycho Andersen wrote: > This commit is in preparation for the cgroups create work, since we will need > the handler in both the parent and the child. This commit also re-works how > errors are propagated to be less verbose. Here is an updated version: From 941623498a49551411ccf185146061f3f37d3a67 Mon Sep 17 00:00:00 2001 From: Tycho Andersen <tycho.andersen@canonical.com> Date: Tue, 7 Oct 2014 19:13:51 +0000 Subject: [PATCH 1/2] restore: Hoist handler to function level This commit is in preparation for the cgroups create work, since we will need the handler in both the parent and the child. This commit also re-works how errors are propagated to be less verbose. v2: rename error to has_error, handle it correctly, and remove some diff noise Signed-off-by:
-
Tycho Andersen authored
This is in preparation for the cgroups creation work, but also probably just a good idea in general. The ERROR message is handy since we print line nos. it will to give people an indication of what arg was null. Signed-off-by:
-
Serge Hallyn authored
Signed-off-by: -
Andrey Vagin authored
pivot_root can't be called if / is on a ramfs. Currently chroot is called before pivot_root. In this case the standard well-known 'chroot escape' technique allows to escape a container. I think the best way to handle this situation is to make following actions: * clean all mounts, which should not be visible in CT * move CT's rootfs into / * make chroot into / I don't have a host, where / is on a ramfs, so I can't test this patch. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
-
Serge Hallyn authored
These all fix various ways that cgroup actions could fail if an unprivileged user's cgroup paths were not all the same for all controllers. 1. in cgm_{g,s}et, use the right controller, not the first in the list, to get the cgroup path. 2. when we pass 'all' to cgmanager for a ${METHOD}_abs, make sure that all cgroup paths are the same. That isn't necessary for methods not taking an absolute path, so split up the former cgm_supports_multiple_controllers() function into two booleans, one telling whether cgm supports it, and another telling us whether cgm supports it AND all controller cgroup paths are the same. 3. separately, do_cgm_enter with abs=true couldn't work if all cgroup paths were not the same. So just ditch that helper and call lxc_cgmanager_enter() where needed, because the special cases would be more complicated. Signed-off-by:
-
- 06 Oct, 2014 1 commit
-
-
Joshua Brunner authored
Interfaces listed by `ip link list` are prefixed with the index identifier. The pattern "^$BRNAME" does not match. - dependencies to ifconfig and ip removed - wait until interface flagged with IFF_UP Ref: https://github.com/torvalds/linux/blob/master/include/uapi/linux/if.hSigned-off-by:
Joshua Brunner <j.brunner@nexbyte.com>
-
- 02 Oct, 2014 1 commit
-
-
Stéphane Graber authored
Don't use $TUSER as it's not defined. Also don't include lxc-test-usernic in extra_DIST. Signed-off-by:
-
- 01 Oct, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 29 Sep, 2014 3 commits
-
-
Serge Hallyn authored
This fixes pivot_root on 3.11 and older kernels. Signed-off-by:
-
Stéphane Graber authored
This prevents scripts running with -e to fail when lxc-net doesn't exist. Signed-off-by: -
Jamie Strandboge authored
Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by:
Jamie Strandboge <jamie@canonical.com> Acked-by:
-
