- 14 Aug, 2015 1 commit
-
-
Дмитрий Пацура authored
Signed-off-by:Dmitry Patsura <talk@dmtry.me>
-
- 22 Jul, 2015 2 commits
-
-
Stéphane Graber authored
A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by:
Tyler Hicks <tyhicks@canonical.com> Acked-by:
-
- 06 Apr, 2015 1 commit
-
-
Serge Hallyn authored
When we are shutting down the lxc network, we should not fail when things go wrong, as that only makes it harder to clean up later. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1429140 in particular Signed-off-by:
-
- 10 Mar, 2015 1 commit
-
-
KATOH Yasufumi authored
Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
- 23 Feb, 2015 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 08 Feb, 2015 1 commit
-
-
Stéphane Graber authored
This resolves the case where /proc/sysrq-trigger doesn't exist by simply ignoring any mount failure on ENOENT. With the current mount list, this will always result in a safe environment (typically the read-only underlay). Closes #425 v2: Don't always show an error Signed-off-by:
-
- 30 Jan, 2015 33 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
We were trying to be smart and use whatever the last part of the container's rootfs path was. However for block devices that doesn't make much sense. I.e. if lxc.rootfs = /dev/md-1, chances are that /var/lib/lxc/c1/md-1 does not exist. So always use the $lxcpath/$lxcname/rootfs, and if it does not exist, try to create it. With this, 'lxc-clone -s -o c1 -n c2' where c1 has an lvm backend is fixed. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1414771Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Close #406 Signed-off-by:
-
Serge Hallyn authored
1. tty5 is not needed 2. the devices should be optional in case they didn't exist in the host / parent-container 3. switch from 'touch $rootfs/dev/$dev' to using create=file in the mount entry. Signed-off-by: -
Serge Hallyn authored
Close #389 We will probably also want to switch the order of the mount attempts, as the new overlay fs should quickly become the more common scenario. Signed-off-by:
-
Stéphane Graber authored
Closes: #403 Signed-off-by: Dwight Engen Acked-by: -
Patrick O'Leary authored
The `index` libc function was removed in POSIX 2008, and `strchr` is a direct replacement. The bionic (Android) libc has removed `index` when you are compiling for a 64-bit architecture, such as AArch64. Signed-off-by:
Patrick O'Leary <patrick.oleary@gmail.com> Acked-by:
-
Vicente Olivert Riera authored
Reuse the code from the Debian template to associate a hwaddr if there is only one veth interface in the container's config file. Signed-off-by:
Vicente Olivert Riera <Vincent.Riera@imgtec.com> Acked-by:
-
Thomas Moschny authored
Signed-off-by:
Thomas Moschny <thomas.moschny@gmail.com> Acked-by:
-
Michael Adam authored
Hi Michael, do you have any concerns with the attached patch to the fedora template that adds an option --mask-tmp that prevents fedora/systemd from over-mounting /tmp with tmpfs, which is useful in some cases? Thanks - Michael ----- Forwarded message from Michael Adam <obnox@samba.org> ----- Date: Sat, 10 Jan 2015 13:12:06 +0100 From: Michael Adam <obnox@samba.org> To: LXC development mailing-list <lxc-devel@lists.linuxcontainers.org> Subject: Re: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes User-Agent: Mutt/1.5.23 (2014-03-12) On 2015-01-10 at 13:08 +0100, Michael Adam wrote: > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > The less controversial one is adding mask-tmp to the fedora template. > > It looks fine to me, but that should go separately to mwarfield, our > > fedora template maintainer :) > > I had notified mhw of my patches on irc, but apparently he is > currently very busy. > > For a start, following is an update of the uncontroversial fix > patches, i.e. the fix patche without the path ones, and without > the mask-tmp patch. And here comes the mask-tmp patch. It needs to be applied onto the previous fix-patchset. From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001 From: Michael Adam <obnox@samba.org> Date: Thu, 8 Jan 2015 10:25:24 +0100 Subject: [PATCH] lxc-fedora: add a new option --mask-tmp This will configure the container to prevent the standard behaviour of over-mounting /tmp with tmpfs, which can be undesirable in some cases. My personal use case is vagrant-lxc in combination with vagrant-cachier. Signed-off-by:
Michael Adam <obnox@samba.org> Acked-by:
-
Stéphane Graber authored
Signed-off-by: -
Alexander Vladimirov authored
Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
-
KATOH Yasufumi authored
Update for the commit 38005c54Signed-off-by:
-
Michael Adam authored
--help and --list are special in the sense that they are independent of the other options and exit early. Document them separately. Signed-off-by:
-
Michael Adam authored
Make it possible to use --list without having to specify --dist, --release, and --arch, which does not make a lot of sense. Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Axel Neumann authored
Container fail to start with configs (as shown below) where the same vlan id is used for several type=vlan container interfaces. Then, during the instantiation of the vlan interfaces, an error occurs because the lxc code tries to assign the same temporary name to both of them before it is bound into the container. > lxc.network.type = vlan > lxc.network.flags = up > lxc.network.link = eth1 > lxc.network.vlan.id = 3842 > lxc.network.name = iso0 > > lxc.network.type = vlan > lxc.network.flags = up > lxc.network.link = eth2 > lxc.network.vlan.id = 3842 > lxc.network.name = iso1 Signed-off-by:Axel Neumann <neumann@cgws.de>
-
Serge Hallyn authored
Riya Khanna reported that with a ramfs rootfs the mount to make / rprivate was returning -EFAULT. NULL was being passed as the mount target. Pass "/" instead. Reported-by:
riya khanna <riyakhanna1983@gmail.com>> Signed-off-by:
-
Michael Adam authored
by breaking and shortening some lines. Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
Michael Adam authored
Signed-off-by:
-
