- 21 Dec, 2017 1 commit
-
-
Christian Brauner authored
Receive fd for LSM security module before we set{g,u}id(). The reason is that on set{g,u}id() the kernel will a) make us undumpable and b) we will change our effective uid. This means our effective uid will be different from the effective uid of the process that created us which means that this processs no longer has capabilities in our namespace including CAP_SYS_PTRACE. This means we will not be able to read and /proc/<pid> files for the process anymore when /proc is mounted with hidepid={1,2}. So let's get the lsm label fd before the set{g,u}id(). Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
- 20 Dec, 2017 3 commits
-
-
Christian Brauner authored
This let's us simplify the whole file a lot and makes things way clearer. It also let's us avoid the infamous pid cache. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Improve the dhclient hook for OCI compat
-
- 19 Dec, 2017 16 commits
-
-
Jonathan Calmels authored
Signed-off-by:Jonathan Calmels <jcalmels@nvidia.com>
-
Jonathan Calmels authored
Signed-off-by: -
Jonathan Calmels authored
Excerpt from dnsmasq(8): By default, the DHCP server will attempt to ensure that an address in not in use before allocating it to a host. It does this by sending an ICMP echo request (aka "ping") to the address in question. If it gets a reply, then the address must already be in use, and another is tried. This flag disables this check. This is useful if one expects all the containers to get an IP address from the LXC authoritative DHCP server and wants to speed up the process of getting a lease. Signed-off-by: -
Jonathan Calmels authored
- Merge dhclient-start and dhclient-stop into a single hook. - Wait for a lease before returning from the hook. - Generate a logfile when LXC log level is either DEBUG or TRACE. - Rely on namespace file descriptors for the stop hook. - Use settings from /<sysconf>/lxc/dhclient.conf if available. - Attempt to cleanup if dhclient fails to shutdown properly. Signed-off-by: -
Christian Brauner authored
[monitor] wrong statement of break
-
Christian Brauner authored
hooks: add mount hook to configure access to NVIDIA GPUs
-
Christian Brauner authored
conf.c: small fix for args of mount_entry
-
Christian Brauner authored
Update Japanese lxc.container.conf(5)
-
KATOH Yasufumi authored
and: * remove empty paragraph in English man * untabify in Japanese man Signed-off-by:KATOH Yasufumi <karma@jazz.email.ne.jp>
-
KATOH Yasufumi authored
Update for commit 14a7b0f9Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by: -
KATOH Yasufumi authored
Update for commit 61d7a733Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by: -
Yifeng Tan authored
Signed-off-by:Yifeng Tan <tanyifeng1@huawei.com>
-
独孤昊天 authored
if lxc_abstract_unix_connect fail and return -1, this code never goto retry. Signed-off-by:liuhao <liuhao27@huawei.com>
-
Felix Abecassis authored
This hook requires the nvidia-container-cli tool provided by libnvidia-container: https://github.com/nvidia/libnvidia-container For containers that do not have CUDA_VERSION or NVIDIA_VISIBLE_DEVICES set in the environment, the hook will be a no-op. To enable in the configuration file: lxc.hook.mount = /usr/local/share/lxc/hooks/nvidia Signed-off-by:
Felix Abecassis <fabecassis@nvidia.com>
-
- 18 Dec, 2017 4 commits
-
-
Serge Hallyn authored
start: reap intermediate process
-
Christian Brauner authored
When we inherit namespaces we need to reap the attaching process. Signed-off-by: -
Christian Brauner authored
conf.c: add relative option for lxc.mount.entry
-
Yifeng Tan authored
Signed-off-by:
-
- 15 Dec, 2017 1 commit
-
-
Serge Hallyn authored
lxc_init: fix cgroup parsing
-
- 14 Dec, 2017 15 commits
-
-
Serge Hallyn authored
utils: use lxc_raw_clone() in run_command()
-
Christian Brauner authored
coverity: #1426132 coverity: #1426133 Signed-off-by: -
Christian Brauner authored
coverity: #1426131 Signed-off-by: -
Serge Hallyn authored
commands: fix race when open()/close() cmd socket
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
This is based on raw_clone in systemd but adapted to our needs. The main reason is that we need an implementation of fork()/clone() that does guarantee us that no pthread_atfork() handlers are run. While clone() in glibc currently doesn't run pthread_atfork() handlers we should be fine but there's no guarantee that this won't be the case in the future. So let's do the syscall directly - or as direct as we can. An additional nice feature is that we get fork() behavior, i.e. lxc_raw_clone() returns 0 in the child and the child pid in the parent. Our implementation tries to make sure that we cover all cases according to kernel sources. Note that we are not interested in any arguments that could be passed after the stack. Signed-off-by: -
Christian Brauner authored
add --share-$NS= support to lxc-execute
-
Christian Brauner authored
dir_detect: warn on eperm
-
Christian Brauner authored
criu: add feature check capability
-
Christian Brauner authored
When we report STOPPED to a caller and then close the command socket it is technically possible - and I've seen this happen on the test builders - that a container start() right after a wait() will receive ECONNREFUSED because it called open() before we close(). So for all new state clients simply close the command socket. This will inform all state clients that the container is STOPPED and also prevents a race between a open()/close() on the command socket causing a new process to get ECONNREFUSED because we haven't yet closed the command socket. Signed-off-by: -
Adrian Reber authored
This adds a simple test case which verifies that the new migrate() API command 'MIGRATE_FEATURE_CHECK' works as expected. If a feature does not exist on the currently running architecture/kernel/criu combination it does not report an error as this is a valid scenario. Signed-off-by:Adrian Reber <areber@redhat.com>
-
Adrian Reber authored
For migration optimization features like pre-copy or post-copy migration the support cannot be determined by simply looking at the CRIU version. Features like that depend on the architecture/kernel/criu combination and CRIU offers a feature checking interface to query if it is supported. This adds a LXC interface to query CRIU for those feature via the migrate() API call. For the recent pre-copy migration support in LXD this can be used to automatically detect if pre-copy migration should be used. In addition to the existing migrate() API commands this adds a new command: 'MIGRATE_FEATURE_CHECK'. The migrate_opts{} structure is extended by the member features_to_check which is a bitmask defining which CRIU features should be queried. Currently only the querying of the features FEATURE_MEM_TRACK and FEATURE_LAZY_PAGES is supported. Signed-off-by: -
Serge Hallyn authored
if user has lxc.rootfs.path = /some/path/foo, but can't access some piece of that path, then we'll get an unhelpful "failed to mount" without any indication of the problem. At least show that there is a permission problem. Signed-off-by:Serge Hallyn <shallyn@cisco.com>
-
Tycho Andersen authored
Signed-off-by:Tycho Andersen <tycho@tycho.ws>
-
Serge Hallyn authored
confile: add lxc.hook.version
-
