- 25 Nov, 2014 23 commits
-
-
Serge Hallyn authored
Fix return value on bind mount failure. If we've already mounted the rootfs, exit after the bind mount rather than re-trying the rootfs mount. The only case where this happens is when root is starting a container in a user namespace and with a block device backing store. In that case, pre-mount hooks will be executed in the initial user namespace. That may be worth fixing. Or it may be what we want. We should think about it and fix it. Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
Signed-off-by: -
Dark Templar authored
I've found one more typo in the gentoo template, configuration in the generated file /etc/conf.d/hostname was not valid, but it didn't impact me due to "lxc.utsname" being set in the configuration file of container and hostname service being not used. Anyway, I've made a patch and sending it with this mail. Signed-off-by:
Dark Templar <dark_templar@hotbox.ru> Signed-off-by:
-
Bogdan Purcareata authored
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts for the ttys and other devices. Add this entry in the container config. Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by:
-
Bogdan Purcareata authored
Apply the changes found in templates/lxc-download to the busybox template as well. Change ownership of the config and fstab files to the unprivileged user, and the ownership of the rootfs to root in the new user namespace. Eliminate the "unsupported for userns" flag. Signed-off-by:
-
KATOH Yasufumi authored
>>> On Tue, 30 Sep 2014 19:48:09 +0000 in message "Re: [lxc-devel] [PATCH] lxc-config can show lxc.cgroup.(use|pattern)" Serge Hallyn-san wrote: > I think it would be worth also augmenting > lxc_global_config_value() to return a default lxc.cgroup.use > for 'all', and a default lxc.cgroup.pattern ("/lxc/%n" for root > or "%n" for non-root). lxc.cgroup.pattern is like this? (^_^;) Signed-off-by:KATOH Yasufumi <karma@jazz.email.ne.jp> Signed-off-by:
-
Dark Templar authored
Signed-off-by:
-
Serge Hallyn authored
because that's what it does Signed-off-by: -
Dongsheng Yang authored
When we need to know some info about a netdev, such as is_up or not, we need to read the flag for the netdev. This patch introduce a interface function named lxc_netdev_isup() to check is a netdev up or down. And introduce a network private function named netdev_get_flag() to get flag for netdev by netlink. Changelog: 10/15/2015: Return failure if name==NULL to avoid later strlen fun Signed-off-by:
Dongsheng Yang <yangds.fnst@cn.fujitsu.com> Acked-by:
-
Dongsheng Yang authored
In netlink, we can set the dest_name of netdev when move netdev between namespaces in one netlink request. And moving a netdev of a src_name to a netdev with a dest_name is a common usecase. So this patch add a parametaer to lxc_network_move_by_index() to indicate the dest_name for the movement. NULL means same with the src_name. Signed-off-by:
-
Dongsheng Yang authored
We should exit with a error when starting a running container. Signed-off-by:
-
Dongsheng Yang authored
When we want to get index of a ifname which does not exist, we should return a -EINVAL in this case. Signed-off-by:
-
Dongsheng Yang authored
We should not modify ifname in lxc_netdev_move_by_name(), making it as const in param list will make our code more robust. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
the way config_mount was structured, sending 'lxc.mount.auto = ' ended up actually clearing all lxc.mount.entrys. Fix that by moving the check for an empty value to after the subkey checks. Then, actually do the clearing of auto_mounts in config_mount_auto. The 'strlen(subkey)' check being removed was bogus - the subkey either known to be 'lxc.mount.entry', else subkey would have been NULL (and forced a return in the block above). This would have been clearer if the config_mount() and helper fns were structured like the rest of confile.c. It's tempting to switch it over, but there are subtleties in there so it's not something to do without a lot of thought and testing. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Andrey Vagin authored
pivot_root can't be called if / is on a ramfs. Currently chroot is called before pivot_root. In this case the standard well-known 'chroot escape' technique allows to escape a container. I think the best way to handle this situation is to make following actions: * clean all mounts, which should not be visible in CT * move CT's rootfs into / * make chroot into / I don't have a host, where / is on a ramfs, so I can't test this patch. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
-
Serge Hallyn authored
These all fix various ways that cgroup actions could fail if an unprivileged user's cgroup paths were not all the same for all controllers. 1. in cgm_{g,s}et, use the right controller, not the first in the list, to get the cgroup path. 2. when we pass 'all' to cgmanager for a ${METHOD}_abs, make sure that all cgroup paths are the same. That isn't necessary for methods not taking an absolute path, so split up the former cgm_supports_multiple_controllers() function into two booleans, one telling whether cgm supports it, and another telling us whether cgm supports it AND all controller cgroup paths are the same. 3. separately, do_cgm_enter with abs=true couldn't work if all cgroup paths were not the same. So just ditch that helper and call lxc_cgmanager_enter() where needed, because the special cases would be more complicated. Signed-off-by: -
Stéphane Graber authored
Don't use $TUSER as it's not defined. Also don't include lxc-test-usernic in extra_DIST. Signed-off-by: -
Jamie Strandboge authored
Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by:
Jamie Strandboge <jamie@canonical.com> Acked-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
newer lxc uses 'silent' when remounting on shutdown. Silence that denial too Author: Jamie Strandboge <jamie@canonical.com> Signed-off-by:
-
- 24 Sep, 2014 4 commits
-
-
Sergio Jimenez authored
Signed-off-by:
Sergio Jimenez <tripledes@gmail.com> Acked-by:
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Stéphane Graber authored
Signed-off-by: -
Andre Nathan authored
Signed-off-by:
Andre Nathan <andre@digirati.com.br> Acked-by:
-
- 23 Sep, 2014 3 commits
-
-
Stéphane Graber authored
Reported-by:
NeilGreenwood <neil.greenwood@gmail.com> Signed-off-by:
-
Stéphane Graber authored
To cover all the cases we have around, we need to: - Attempt to use cgm if present (preferred) - Attempt to use cgmanager directly over dbus otherwise - Fallback to cgroupfs Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
- 22 Sep, 2014 7 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Bill Kolokithas authored
Signed-off-by:
Bill Kolokithas <kolokithas.b@gmail.com> Acked-by:
-
Jean-Tiare LE BIGOT authored
Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
-
Jean-Tiare LE BIGOT authored
When "lxc.autodev = 1", LXC creates automatically a "/dev/.lxc/<name>.<hash>" folder to put container's devices in so that they are visible from both the host and the container itself. On container exit (ne it normal or not), this folder was not cleaned which made "/dev" folder grow continuously. We fix this by adding a new `int lxc_delete_autodev(struct lxc_handler *handler)` called from `static void lxc_fini(const char *name, struct lxc_handler *handler)`. Signed-off-by:
-
Serge Hallyn authored
Explain why we insist that root use newuidmap if it is available. Signed-off-by:
-
Serge Hallyn authored
If we didn't find newuidmap, then simply require the caller to be root and write to /proc/self/uidmap manually. Checking for newgidmap to exist is bogus. Signed-off-by: -
Masami Ichikawa authored
This patch fixes following build errors. running build_ext building '_lxc' extension creating build/temp.linux-x86_64-3.4 gcc -pthread -Wno-unused-result -Werror=declaration-after-statement -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fPIC -I../../src -I../../src -I/usr/include/python3.4m -c lxc.c -o ./build/temp.linux-x86_64-3.4/lxc.o lxc.c: In function ‘convert_tuple_to_char_pointer_array’: lxc.c:49:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char **result = (char**) calloc(argc + 1, sizeof(char*)); ^ lxc.c:60:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char *str = NULL; ^ lxc.c: In function ‘Container_get_cgroup_item’: lxc.c:822:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ lxc.c: In function ‘Container_get_config_item’: lxc.c:861:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ lxc.c: In function ‘Container_get_keys’: lxc.c:903:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ cc1: some warnings being treated as errors error: command 'gcc' failed with exit status 1 Makefile:472: recipe for target 'all' failed make[3]: *** [all] Error 1 make[3]: Leaving directory '/home/masami/codes/lxc/src/python-lxc' Makefile:394: recipe for target 'all-recursive' failed make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory '/home/masami/codes/lxc/src' Makefile:338: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/masami/codes/lxc/src' Makefile:484: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 build env: distribution: Arch Linux gcc version 4.9.1 20140903 (prerelease) (GCC) Signed-off-by:Masami Ichikawa <masami256@gmail.com> Acked-by:
-
- 20 Sep, 2014 3 commits
-
-
William Dauchy authored
quiet mode was overriden by the double call of lxc_log_init see lxc_container_new use lxc_log_options_no_override in order to fix this Signed-off-by:
William Dauchy <william@gandi.net>
-
Serge Hallyn authored
Introduce a new list of controllers just containing "all". Make the lists of controllers null-terminated. If the cgmanager api version is high enough, use the 'all' controller rather than walking all controllers, which should greatly reduce the amount of dbus overhead. This will be especially important for those going through a cgproxy. Also remove the call to cleanup cgroups when a cgroup existed. That usually fails (and failure is ignored) since the to-be-cleaned-up cgroup is busy, but we shouldn't even be trying. Note this can create for extra un-cleanedup cgroups, however it's better than us accidentally removing a cgroup that someone else had created and was about to use. Signed-off-by:
-
TAMUKI Shoichi authored
Call tar with --numeric-owner option to use numbers for user/group names because the whole uid/gid in rootfs should be consistently unchanged as in original stage3 tarball and private portage. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
-
