- 21 Sep, 2015 14 commits
-
-
Stéphane Graber authored
I've noticed that a bunch of the code we've included over the past few weeks has been using 8-spaces rather than tabs, making it all very hard to read depending on your tabstop setting. This commit attempts to revert all of that back to proper tabs and fix a few more cases I've noticed here and there. No functional changes are included in this commit. Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Christian Brauner authored
Signed-off-by:
Christian Brauner <christianvanbrauner@gmail.com> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
Otherwise the kernel will umount when it gets around to it, but that on lxc_destroy we may race with it and fail the rmdir of the overmounted (BUSY) rootfs. This makes lxc-test-snapshot pass for me again. Signed-off-by:
-
Serge Hallyn authored
(This *should* fix the lxc-test-snapshot testcase, but doesn't seem to by itself.) If it doesn't exist, we may as well start with an empty one. This is needed when creating an overlayfs snapshot. Signed-off-by:
-
Serge Hallyn authored
We're asked to delete it, don't fail if it doesn't exist. This stops lxc-destroy from failing when the container isn't fully built. Signed-off-by:
-
Tycho Andersen authored
Here's some more config options that we do actually require to be able to boot containers. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
Serge Hallyn authored
Closes #655 We can't rsync the delta as unpriv user because we can't create the chardevs representing a whiteout. We can however rsync the rootfs and have the kernel create the whiteouts for us. do_rsync: pass --delete Signed-off-by:
-
Christian Brauner authored
static do_bdev_destroy() and bdev_destroy_wrapper() from lxccontainer.c become public bdev_destroy() and bdev_destroy_wrapper() in bdev.c and bdev.h Signed-off-by:
-
Christian Brauner authored
Signed-off-by:
-
Serge Hallyn authored
Newer kernels have added a new restriction: if /proc or /sys on the host has files or non-empty directories which are over-mounted, and there is no /proc which fully visible, then it assumes there is a "security" reason for this. It prevents anyone in a non-initial user namespace from creating a new proc or sysfs mount. To work around this, this patch adds a new 'nesting.conf' which can be lxc.include'd from a container configuration file. It adds a non-overmounted mount of /proc and /sys under /dev/.lxc, so that the kernel can see that we're not trying to *hide* things like /proc/uptime. and /sys/devices/virtual/net. If the host adds this to the config file for container w1, then container w1 will support unprivileged child containers. The nesting.conf file also sets the apparmor profile to the with-nesting variant, since that is required anyway. This actually means that supporting nesting isn't really more work than it used to be, just different. Instead of adding lxc.aa_profile = lxc-container-default-with-nesting you now just need to lxc.include = /usr/share/lxc/config/nesting.conf (Look, fewer characters :) Finally, in order to maintain the current apparmor protections on proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable. We don't need to be able to use them, we're just showing the kernel what's what. Signed-off-by: -
KATOH Yasufumi authored
Add the description of optional, create=file/dir for lxc.mount.entry. This is update for commit f5b67b36. Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Serge Hallyn authored
First, fix use of uninitialized variable 'ret'. Then, actually use the value it returned in its caller. Signed-off-by: -
Major Hayden authored
On very busy systems, some virtual network devices won't be destroyed after a container halts. This patch uses the lxc_delete_network() method to ensure that network devices attached to the container are destroyed when the container halts. Without the patch, some virtual network devices are left over on the system and must be removed with `ip link del <device>`. This caused containers with lxc.network.veth.pair to not be able to start. For containers using randomly generated virtual network device names, the old devices will hang around on the bridge with their original MAC address. Signed-off-by:Major Hayden <major@mhtx.net>
-
KATOH Yasufumi authored
* Remove '-P' option, and common options (including '-P' option) * Add long option for '-f' * Improve Japanese translation Signed-off-by:
-
- 28 Aug, 2015 2 commits
-
-
David Noyes authored
Signed-off-by:David Noyes <david.j.noyes@gmail.com>
-
David Noyes authored
Signed-off-by:
-
- 27 Aug, 2015 19 commits
-
-
David Ward authored
Signed-off-by:
David Ward <david.ward@ll.mit.edu> Acked-by:
-
David Ward authored
Commit 6c6892b5 "fix multithreaded create()" prevented the container configuration from being saved if the backing store does not need to be created. Signed-off-by:
-
David Ward authored
Use the same code with and without a rootfs to check if mounting /proc is necessary before doing so. If mounting it is unsuccessful and there is no rootfs, continue as before. Signed-off-by:
-
David Ward authored
A container without a rootfs is useful for running a collection of processes in separate namespaces (to provide separate networking as an example), while sharing the host filesystem (except for specific paths that are re-mounted as needed). For multiple processes to run automatically when such a container is started, it can be launched using lxc-start, and a separate instance of systemd can manage just the processes inside the container. (This assumes that the path to the systemd unit files is re-mounted and only contains the services that should run inside the container.) For this use case, autodev should be permitted for a container that does not have a rootfs. Signed-off-by:
-
David Ward authored
Signed-off-by:
-
David Ward authored
It is not an error to create a container without a template or rootfs. Signed-off-by:
-
David Ward authored
Signed-off-by:
-
Christian Brauner authored
"NAME for name of the container" becomes "NAME of the container" Signed-off-by:
-
Christian Brauner authored
- Passing the LXC_CLONE_KEEPNAME flag to do_lxcapi_clone() was not respected and let to unexpected behaviour for e.g. lxc-clone. We wrap clear_unexp_config_line() and set_config_item_line() in an appropriate if-condition. Signed-off-by:
-
KATOH Yasufumi authored
LXC now uses lxc.cgroup.use even when cgmanager is used. So remove the description for the case of using cgmanager. And add the case of not specifying it. This commit only updates en and ja man pages. Signed-off-by:
-
Antonio Terceiro authored
Signed-off-by:
Antonio Terceiro <terceiro@debian.org> Acked-by:
-
Antonio Terceiro authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Nicolas Cornu authored
Signed-off-by:Nicolas Cornu <nicolac76@yahoo.fr>
-
Nicolas Cornu authored
Signed-off-by:Nicolas Cornu <ncornu@aldebaran.com>
-
Nicolas Cornu authored
Signed-off-by: -
Nicolas Cornu authored
Signed-off-by: -
Nicolas Cornu authored
Signed-off-by: -
Stéphane Graber authored
check for NULL pointers before calling setenv()
-
- 21 Aug, 2015 1 commit
-
-
Robert Schiele authored
Latest glibc release actually honours calling setenv with a NULL pointer by causing SIGSEGV but checking pointers before submitting to any system function is a good idea anyway. Signed-off-by:Robert Schiele <rschiele@gmail.com>
-
- 14 Aug, 2015 2 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Tycho Andersen authored
tracefs is a new filesystem that can be mounted by users. Only the options and fs name need to be passed to restore the state, so we can use criu's auto fs feature. Signed-off-by:
-
- 13 Aug, 2015 2 commits
-
-
Michal Grzedzicki authored
Signed-off-by:Michał Grzędzicki <lazy404@gmail.com>
-
Robert LeBlanc authored
Caps are getting lost when cloning an LXC. Adding the -X parameter copies the extended attributes. This allows things like ping to continue to be used by a non-privilged user in Debian at least.
-
