- 25 Nov, 2014 37 commits
-
-
Serge Hallyn authored
Support creation and use of lxc-cirros by unprivileged users. If we detect we are an unprivileged user, then insist that we be in a userns with a id mapping. If we are in a userns, then don't extract /dev when extracting the rootfs. If we are not root, then save the tarball to ~/.cache/lxc/cirros instead of /var/cache/lxc/cirros. If we are not roo, then include entries to auto-mount proc and sys, as well as bind-mount devices. Cc: Scott Moser <smoser@ubuntu.com> Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Joel Nider authored
This is a multipart message in MIME format. Fixes a small (but consistent) spelling mistake in conf.c Signed-off-by:
Joel Nider <joeln@il.ibm.com> Acked-by:
-
Serge Hallyn authored
Otherwise both resulting takss will print what they had flushed when they exit. This fixes https://bugs.launchpad.net/bugs/1389244Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
-
TAMUKI Shoichi authored
Do mkdir $rootfs/dev/shm and then mount tmpfs on /dev/shm. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
-
Silvio Fricke authored
We allocate a pointer and save this address in a static variable. After this we freed this pointer and return. Here a cuttout of a valgrind report: [...] ==11568== Invalid read of size 1 ==11568== at 0x4C2D524: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11568== by 0x5961C9B: puts (in /usr/lib/libc-2.20.so) ==11568== by 0x400890: main (lxc_config.c:73) ==11568== Address 0x6933e21 is 1 bytes inside a block of size 32 free'd ==11568== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11568== by 0x4E654F2: lxc_global_config_value (utils.c:415) ==11568== by 0x4E92177: lxc_get_global_config_item (lxccontainer.c:2287) ==11568== by 0x400883: main (lxc_config.c:71) [...] Signed-off-by:Silvio Fricke <silvio.fricke@gmail.com>
-
Serge Hallyn authored
"all" is not a supported keyword for cgmanager's get_pid_cgroup. Pass the first mounted cgroup subsystem instead of passing "all" when getting the container's cgorup to attach to. Also, make sure that the target cgroup is in fact in all identical cgroups before attaching with 'all". If not, then we must attach to each cgroup separately, or else we will not be in all the same cgroups as the target container. Signed-off-by:
-
Serge Hallyn authored
If attach is being done over passed-in fds, then we shouldn't mess with the caller's signal table to ignore ctrl-c over the fd. Signed-off-by:
-
Sergio Jimenez authored
Signed-off-by:
Sergio Jimenez <tripledes@gmail.com> Acked-by:
-
Simon Deziel authored
This addresses https://github.com/lxc/lxc/issues/280. Signed-off-by:
Simon Deziel <simon@sdeziel.info> Acked-by:
-
Serge Hallyn authored
It is not system-definable, rather glibc sets that to bin:/usr/bin, which is simply too restrictive. So just always set our preferred path. This was reported at: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1384327Signed-off-by:
-
Serge Hallyn authored
Rather than try to free all the not-being-returned items at each if clause where we assign one to return value, just NULL the one we are returning so we can safely free all the values. This should fix the newly reported coverity memory leak Signed-off-by:
-
Serge Hallyn authored
If we are root using a user namespace and are mounting a blockdev as rootfs, then we do this before unsharing the userns, because we are not allowed to do it in a userns. But after unsharing the userns, we unconditionally retried mounting the rootfs, resulting in failure. stop that. Signed-off-by:
-
Dark Templar authored
Behave well when /etc/lxc/${name} is a symlink to directory Signed-off-by:Dark Templar <dark_templar@hotbox.ru> Acked-by:
-
Serge Hallyn authored
Fix return value on bind mount failure. If we've already mounted the rootfs, exit after the bind mount rather than re-trying the rootfs mount. The only case where this happens is when root is starting a container in a user namespace and with a block device backing store. In that case, pre-mount hooks will be executed in the initial user namespace. That may be worth fixing. Or it may be what we want. We should think about it and fix it. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Dark Templar authored
I've found one more typo in the gentoo template, configuration in the generated file /etc/conf.d/hostname was not valid, but it didn't impact me due to "lxc.utsname" being set in the configuration file of container and hostname service being not used. Anyway, I've made a patch and sending it with this mail. Signed-off-by:
-
Bogdan Purcareata authored
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts for the ttys and other devices. Add this entry in the container config. Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by:
-
Bogdan Purcareata authored
Apply the changes found in templates/lxc-download to the busybox template as well. Change ownership of the config and fstab files to the unprivileged user, and the ownership of the rootfs to root in the new user namespace. Eliminate the "unsupported for userns" flag. Signed-off-by:
-
KATOH Yasufumi authored
>>> On Tue, 30 Sep 2014 19:48:09 +0000 in message "Re: [lxc-devel] [PATCH] lxc-config can show lxc.cgroup.(use|pattern)" Serge Hallyn-san wrote: > I think it would be worth also augmenting > lxc_global_config_value() to return a default lxc.cgroup.use > for 'all', and a default lxc.cgroup.pattern ("/lxc/%n" for root > or "%n" for non-root). lxc.cgroup.pattern is like this? (^_^;) Signed-off-by:KATOH Yasufumi <karma@jazz.email.ne.jp> Signed-off-by:
-
Dark Templar authored
Signed-off-by:
-
Serge Hallyn authored
because that's what it does Signed-off-by: -
Dongsheng Yang authored
When we need to know some info about a netdev, such as is_up or not, we need to read the flag for the netdev. This patch introduce a interface function named lxc_netdev_isup() to check is a netdev up or down. And introduce a network private function named netdev_get_flag() to get flag for netdev by netlink. Changelog: 10/15/2015: Return failure if name==NULL to avoid later strlen fun Signed-off-by:
Dongsheng Yang <yangds.fnst@cn.fujitsu.com> Acked-by:
-
Dongsheng Yang authored
In netlink, we can set the dest_name of netdev when move netdev between namespaces in one netlink request. And moving a netdev of a src_name to a netdev with a dest_name is a common usecase. So this patch add a parametaer to lxc_network_move_by_index() to indicate the dest_name for the movement. NULL means same with the src_name. Signed-off-by:
-
Dongsheng Yang authored
We should exit with a error when starting a running container. Signed-off-by:
-
Dongsheng Yang authored
When we want to get index of a ifname which does not exist, we should return a -EINVAL in this case. Signed-off-by:
-
Dongsheng Yang authored
We should not modify ifname in lxc_netdev_move_by_name(), making it as const in param list will make our code more robust. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
the way config_mount was structured, sending 'lxc.mount.auto = ' ended up actually clearing all lxc.mount.entrys. Fix that by moving the check for an empty value to after the subkey checks. Then, actually do the clearing of auto_mounts in config_mount_auto. The 'strlen(subkey)' check being removed was bogus - the subkey either known to be 'lxc.mount.entry', else subkey would have been NULL (and forced a return in the block above). This would have been clearer if the config_mount() and helper fns were structured like the rest of confile.c. It's tempting to switch it over, but there are subtleties in there so it's not something to do without a lot of thought and testing. Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Andrey Vagin authored
pivot_root can't be called if / is on a ramfs. Currently chroot is called before pivot_root. In this case the standard well-known 'chroot escape' technique allows to escape a container. I think the best way to handle this situation is to make following actions: * clean all mounts, which should not be visible in CT * move CT's rootfs into / * make chroot into / I don't have a host, where / is on a ramfs, so I can't test this patch. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
-
Serge Hallyn authored
These all fix various ways that cgroup actions could fail if an unprivileged user's cgroup paths were not all the same for all controllers. 1. in cgm_{g,s}et, use the right controller, not the first in the list, to get the cgroup path. 2. when we pass 'all' to cgmanager for a ${METHOD}_abs, make sure that all cgroup paths are the same. That isn't necessary for methods not taking an absolute path, so split up the former cgm_supports_multiple_controllers() function into two booleans, one telling whether cgm supports it, and another telling us whether cgm supports it AND all controller cgroup paths are the same. 3. separately, do_cgm_enter with abs=true couldn't work if all cgroup paths were not the same. So just ditch that helper and call lxc_cgmanager_enter() where needed, because the special cases would be more complicated. Signed-off-by: -
Stéphane Graber authored
Don't use $TUSER as it's not defined. Also don't include lxc-test-usernic in extra_DIST. Signed-off-by: -
Jamie Strandboge authored
Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by:
Jamie Strandboge <jamie@canonical.com> Acked-by:
-
Serge Hallyn authored
Signed-off-by:
-
Serge Hallyn authored
newer lxc uses 'silent' when remounting on shutdown. Silence that denial too Author: Jamie Strandboge <jamie@canonical.com> Signed-off-by:
-
- 24 Sep, 2014 3 commits
-
-
Sergio Jimenez authored
Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
-
