- 16 Jan, 2015 4 commits
-
-
Serge Hallyn authored
Do not keep container devs under /dev/.lxc. Instead, always keep them in a small tmpfs mounted at $(mounted_root)/dev. The tmpfs is mounted in the container monitor's namespace. This means that at every reboot it will get re-created. It seems to me this better replicates what happens on a real host. If we want devices persisting across reboots, then perhaps we can implement a $lxcpath/$name/keepdev directory containing devices to bind into the container at each startup. Changelog (v2): don't bother with the $lxcpath/$name/rootfs.dev directory, just mount the tmpfs straight into the container. Changelog (v3): Don't create /dev if it doesn't exist Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Michael Adam authored
--help and --list are special in the sense that they are independent of the other options and exit early. Document them separately. Signed-off-by:
Michael Adam <obnox@samba.org> Acked-by:
-
Michael Adam authored
Make it possible to use --list without having to specify --dist, --release, and --arch, which does not make a lot of sense. Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
- 15 Jan, 2015 3 commits
-
-
Serge Hallyn authored
We want to close all inherited fds in three cases - one, if a container is daemonized. Two, if the user specifies -C on the lxc-start command line. Three, in src/lxc/monitor.c. The presence of -C is passed in the lxc_conf may not always exist. One call to lxc_check_inherited was being done from lxc_start(), which doesn't know whether we are daemonized. Move that call to its caller, lxcapi_start(), which does know. Pass an explicit closeall boolean as second argument to lxc_check_inherited. If it is true, then all fds are closed. If it is false, then we check the lxc_conf->close_all_fds. With this, all tests pass, and the logic appears correct. Note that when -C is not true, then we only warn about inherited fds, but we do not abort the container start. This appears to have ben the case since commit 92c7f629 in 2011. Unfortunately the referenced URL with the justification is no longer valid. We may want to consider becoming stricter about this again. (Note that the commit did say "for now") Signed-off-by:
-
Serge Hallyn authored
We fixed this some time ago for basic lxc-start, but never did lxc-start-ephemeral. Since the lxc-start patches were pushed, Miklos has given us a way to detect whether we need the workdir= option. So the bdev.c code could be simplified to check for "overlay\n" in /proc/filesystems just as lxc-start-ephemeral does. This patch doesn't do that. Changelog (v2): 1. use 'overlay' fstype for new overlay upstream module 2. avoid using unneeded readlines(). Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
- 13 Jan, 2015 3 commits
-
-
Serge Hallyn authored
This isn't the perfect fix. In fact close_all_fds shouldn't be stored in the lxc_conf. But this will fix the tests short-term. Signed-off-by: -
Serge Hallyn authored
it has unfortunate reprecussions elsewhere, and the needed fix can be done another way This reverts commit 1f76453a.
-
Serge Hallyn authored
Because we never have that any more Signed-off-by:
-
- 12 Jan, 2015 2 commits
-
-
Serge Hallyn authored
Riya Khanna reported that with a ramfs rootfs the mount to make / rprivate was returning -EFAULT. NULL was being passed as the mount target. Pass "/" instead. Reported-by:
riya khanna <riyakhanna1983@gmail.com>> Signed-off-by:
-
Serge Hallyn authored
When containers request to be daemonized, close-all-fd is set to true. But when we switched ot daemonize-by-default we didn't set close-all-fd by default. Fix that. In order to do that we have to always have a lxc_conf object. As a consequence, after this patch we can drop a bunch of checks for c->lxc_conf existing. We should consider removing those. This patch does not do that. This should close https://github.com/lxc/lxc/issues/354Signed-off-by:
-
- 10 Jan, 2015 16 commits
-
-
Michael Adam authored
by breaking and shortening some lines. Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
- 08 Jan, 2015 2 commits
-
-
hallyn authored
apparmor: Fix slave bind mounts
-
Martin Pitt authored
The permission to make a mount "slave" is spelt "make-slave", not "slave", see https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not just the root dir. https://launchpad.net/bugs/1350947
-
- 05 Jan, 2015 5 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore. Reported-by: Marc Schaefer Signed-off-by:
-
Natanael Copa authored
Alpine Linux provides yaml files with latest release instead of the old approach with .latest.txt. Signed-off-by:
Natanael Copa <ncopa@alpinelinux.org> Acked-by:
-
Michael Adam authored
fedora-release has been split into fedora-release and fedora-repos. Signed-off-by:
-
Michael Adam authored
This is to prevent systemd-journald to enter a 100% cpu loop. Signed-off-by:
-
- 19 Dec, 2014 4 commits
-
-
Johannes Kastl authored
lxc-opensuse: Disable building openSUSE containers on 13.2/Tumbleweed only if wrong version of build package is installed Signed-off-by:
Johannes Kastl <git@ojkastl.de> Acked-by:
-
Johannes Kastl authored
Signed-off-by:
-
Serge Hallyn authored
In contrast to what the comment above the line disabling it said, it seems to work just fine. It also is needed on current kernels (until Eric's patch hits upstream) to prevent unprivileged containers from hosing fuse filesystems they inherit. Signed-off-by:
-
Serge Hallyn authored
If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile. Thanks stgraber for the idea :) Signed-off-by:
-
- 04 Dec, 2014 1 commit
-
-
https://github.com/vlajos/misspell_fixerVeres Lajos authored
Signed-off-by:
Veres Lajos <vlajos@gmail.com> Acked-by:
-
