- 29 Sep, 2015 1 commit
-
-
Serge Hallyn authored
When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. Details: Define safe_mount which ensures that the container has not inserted any symbolic links into any mount targets for mounts to be done during container setup. The host's mount path may contain symbolic links. As it is under the control of the administrator, that's ok. So safe_mount begins the check for symbolic links after the rootfs->mount, by opening that directory. It opens each directory along the path using openat() relative to the parent directory using O_NOFOLLOW. When the target is reached, it mounts onto /proc/self/fd/<targetfd>. Use safe_mount() in mount_entry(), when mounting container proc, and when needed. In particular, safe_mount() need not be used in any case where: 1. the mount is done in the container's namespace 2. the mount is for the container's rootfs 3. the mount is relative to a tmpfs or proc/sysfs which we have just safe_mount()ed ourselves Since we were using proc/net as a temporary placeholder for /proc/sys/net during container startup, and proc/net is a symbolic link, use proc/tty instead. Update the lxc.container.conf manpage with details about the new restrictions. Finally, add a testcase to test some symbolic link possibilities. Reported-by: Roman Fiedler Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 25 Sep, 2015 2 commits
-
-
Tycho Andersen authored
Since we want to use null-terminated abstract sockets, let's compute the length of them correctly. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
Serge Hallyn authored
systemd wants it. It doesn't seem to be a big deal, but it's one fewer error msg. Signed-off-by:
-
- 21 Sep, 2015 14 commits
-
-
Stéphane Graber authored
I've noticed that a bunch of the code we've included over the past few weeks has been using 8-spaces rather than tabs, making it all very hard to read depending on your tabstop setting. This commit attempts to revert all of that back to proper tabs and fix a few more cases I've noticed here and there. No functional changes are included in this commit. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
Christian Brauner <christianvanbrauner@gmail.com> Acked-by:
-
Serge Hallyn authored
Otherwise the kernel will umount when it gets around to it, but that on lxc_destroy we may race with it and fail the rmdir of the overmounted (BUSY) rootfs. This makes lxc-test-snapshot pass for me again. Signed-off-by:
-
Serge Hallyn authored
(This *should* fix the lxc-test-snapshot testcase, but doesn't seem to by itself.) If it doesn't exist, we may as well start with an empty one. This is needed when creating an overlayfs snapshot. Signed-off-by:
-
Serge Hallyn authored
We're asked to delete it, don't fail if it doesn't exist. This stops lxc-destroy from failing when the container isn't fully built. Signed-off-by:
-
Tycho Andersen authored
Here's some more config options that we do actually require to be able to boot containers. Signed-off-by:
-
Serge Hallyn authored
Closes #655 We can't rsync the delta as unpriv user because we can't create the chardevs representing a whiteout. We can however rsync the rootfs and have the kernel create the whiteouts for us. do_rsync: pass --delete Signed-off-by:
-
Christian Brauner authored
static do_bdev_destroy() and bdev_destroy_wrapper() from lxccontainer.c become public bdev_destroy() and bdev_destroy_wrapper() in bdev.c and bdev.h Signed-off-by:
-
Christian Brauner authored
Signed-off-by:
-
Serge Hallyn authored
Newer kernels have added a new restriction: if /proc or /sys on the host has files or non-empty directories which are over-mounted, and there is no /proc which fully visible, then it assumes there is a "security" reason for this. It prevents anyone in a non-initial user namespace from creating a new proc or sysfs mount. To work around this, this patch adds a new 'nesting.conf' which can be lxc.include'd from a container configuration file. It adds a non-overmounted mount of /proc and /sys under /dev/.lxc, so that the kernel can see that we're not trying to *hide* things like /proc/uptime. and /sys/devices/virtual/net. If the host adds this to the config file for container w1, then container w1 will support unprivileged child containers. The nesting.conf file also sets the apparmor profile to the with-nesting variant, since that is required anyway. This actually means that supporting nesting isn't really more work than it used to be, just different. Instead of adding lxc.aa_profile = lxc-container-default-with-nesting you now just need to lxc.include = /usr/share/lxc/config/nesting.conf (Look, fewer characters :) Finally, in order to maintain the current apparmor protections on proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable. We don't need to be able to use them, we're just showing the kernel what's what. Signed-off-by: -
KATOH Yasufumi authored
Add the description of optional, create=file/dir for lxc.mount.entry. This is update for commit f5b67b36. Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Serge Hallyn authored
First, fix use of uninitialized variable 'ret'. Then, actually use the value it returned in its caller. Signed-off-by: -
Major Hayden authored
On very busy systems, some virtual network devices won't be destroyed after a container halts. This patch uses the lxc_delete_network() method to ensure that network devices attached to the container are destroyed when the container halts. Without the patch, some virtual network devices are left over on the system and must be removed with `ip link del <device>`. This caused containers with lxc.network.veth.pair to not be able to start. For containers using randomly generated virtual network device names, the old devices will hang around on the bridge with their original MAC address. Signed-off-by:Major Hayden <major@mhtx.net>
-
KATOH Yasufumi authored
* Remove '-P' option, and common options (including '-P' option) * Add long option for '-f' * Improve Japanese translation Signed-off-by:
-
- 28 Aug, 2015 2 commits
-
-
David Noyes authored
Signed-off-by:David Noyes <david.j.noyes@gmail.com>
-
David Noyes authored
Signed-off-by:
-
- 27 Aug, 2015 19 commits
-
-
David Ward authored
Signed-off-by:
David Ward <david.ward@ll.mit.edu> Acked-by:
-
David Ward authored
Commit 6c6892b5 "fix multithreaded create()" prevented the container configuration from being saved if the backing store does not need to be created. Signed-off-by:
-
David Ward authored
Use the same code with and without a rootfs to check if mounting /proc is necessary before doing so. If mounting it is unsuccessful and there is no rootfs, continue as before. Signed-off-by:
-
David Ward authored
A container without a rootfs is useful for running a collection of processes in separate namespaces (to provide separate networking as an example), while sharing the host filesystem (except for specific paths that are re-mounted as needed). For multiple processes to run automatically when such a container is started, it can be launched using lxc-start, and a separate instance of systemd can manage just the processes inside the container. (This assumes that the path to the systemd unit files is re-mounted and only contains the services that should run inside the container.) For this use case, autodev should be permitted for a container that does not have a rootfs. Signed-off-by:
-
David Ward authored
Signed-off-by:
-
David Ward authored
It is not an error to create a container without a template or rootfs. Signed-off-by:
-
David Ward authored
Signed-off-by:
-
Christian Brauner authored
"NAME for name of the container" becomes "NAME of the container" Signed-off-by:
-
Christian Brauner authored
- Passing the LXC_CLONE_KEEPNAME flag to do_lxcapi_clone() was not respected and let to unexpected behaviour for e.g. lxc-clone. We wrap clear_unexp_config_line() and set_config_item_line() in an appropriate if-condition. Signed-off-by:
-
KATOH Yasufumi authored
LXC now uses lxc.cgroup.use even when cgmanager is used. So remove the description for the case of using cgmanager. And add the case of not specifying it. This commit only updates en and ja man pages. Signed-off-by:
-
Antonio Terceiro authored
Signed-off-by:
Antonio Terceiro <terceiro@debian.org> Acked-by:
-
Antonio Terceiro authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Nicolas Cornu authored
Signed-off-by:Nicolas Cornu <nicolac76@yahoo.fr>
-
Nicolas Cornu authored
Signed-off-by:Nicolas Cornu <ncornu@aldebaran.com>
-
Nicolas Cornu authored
Signed-off-by: -
Nicolas Cornu authored
Signed-off-by: -
Nicolas Cornu authored
Signed-off-by: -
Stéphane Graber authored
check for NULL pointers before calling setenv()
-
- 21 Aug, 2015 1 commit
-
-
Robert Schiele authored
Latest glibc release actually honours calling setenv with a NULL pointer by causing SIGSEGV but checking pointers before submitting to any system function is a good idea anyway. Signed-off-by:Robert Schiele <rschiele@gmail.com>
-
- 14 Aug, 2015 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
