Commits · 98613f618b6f161e11dc9eedf7cb170757624397 · Chen Yisong / lxc

06 Apr, 2020 2 commits

Release LXC 4.0.1 · 98613f61
Stéphane Graber authored Apr 06, 2020
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
98613f61

Revert "start: remove unnecessary check for valid cgroup_ops" · d33bb0fe

authored Apr 03, 2020

This reverts commit 52520e4f.

This can be NULL when there's a pre-start hook which fails.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

d33bb0fe

02 Apr, 2020 6 commits

lxccontainer: poll takes millisecond not seconds · 7e67b81d
Christian Brauner authored Apr 02, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
7e67b81d

cgroups: fix build warning on GCC 7 · b5d3501f

authored Apr 03, 2020

GCC 7 appears to be clever enough to detect that transient_len is
uninitialised but not that it won't be used despite [1]. Just initialise
it to zero to stop the complaining, and allow LXC to build on openSUSE
Leap.

[1]: 34683042 ("cgroups: fix "uninitialized transient_len" warning")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

b5d3501f

utils: use setres{u,g}id() in lxc_switch_uid_gid() · 05bec191
Christian Brauner authored Apr 02, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
05bec191
utils: rework fix_stdio_permissions() · 9ae55948
Christian Brauner authored Apr 02, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
9ae55948

cgroups: fix "uninitialized transient_len" warning · 256d4d01

authored Apr 02, 2020

Without this change, a build error is triggered if you compile with
-Werror=maybe-uninitialized.

 cgroups/cgfsng.c: In function 'cgfsng_monitor_enter':
 groups/cgfsng.c:1387:9: error: 'transient_len' may be used uninitialized in this function
    ret = lxc_writeat(h->cgfd_mon, "cgroup.procs", transient, transient_len);
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The issue is that if handler->transient_pid is 0, then transient_len is
uninitialised but lxc_writeat(..., transient_len) still gets called.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

256d4d01

fix non-root user cannot write /dev/stdout · b9d08129
gaohuatao authored Apr 01, 2020
```
Signed-off-by: gaohuatao <gaohuatao@huawei.com>
```
b9d08129

01 Apr, 2020 5 commits
- systemd: Add Documentation key · fa7132ae
  Stéphane Graber authored Apr 01, 2020
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
  fa7132ae
- autotools: don't install run-coccinelle.sh · e6c5d2e4
  Christian Brauner authored Apr 01, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  e6c5d2e4
- apparmor: generate ro,bind,remount rule list · 4e43c4fb
  Wolfgang Bumiller authored Aug 02, 2019
```
and update to changes based on lxd
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
  4e43c4fb
- init: add ExecReload to lxc.service to only reload profiles · 5697d2c6
  Wolfgang Bumiller authored Mar 31, 2020
```
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
  5697d2c6
- start: remove unnecessary check for valid cgroup_ops · 46340ce2
  Christian Brauner authored Mar 30, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  46340ce2
30 Mar, 2020 5 commits

cgroups: send two fds to attach to unified cgroup · 179e2bf8
Christian Brauner authored Mar 30, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
179e2bf8
cgroups: send two attach fds · 7e6deea3
Christian Brauner authored Mar 30, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
7e6deea3
start: log error when failing to create cgroup · 73e7bdfc
Christian Brauner authored Mar 30, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
73e7bdfc

cgroups: handle older kernels (e.g. v4.9) · 2f232c53

authored Mar 30, 2020

On olders kernels the restrictions to move processes between cgroups are
different than they are on newer kernels. Specifically, we're running into the
following check:

if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
    !uid_eq(cred->euid, tcred->uid) &&
    !uid_eq(cred->euid, tcred->suid))
        ret = -EACCES;

which dictates that in order to move a process into a cgroup one either needs
to be global root (no restrictions apply) or the effective uid of the process
trying to move the process and the {saved}uid of the process that is supposed
to be moved need to be identical. The new attaching logic we did didn't
fulfill this criterion for because it's not present on new kernels.

Closes https://github.com/lxc/lxd/issues/7104.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

2f232c53

verify cgroup controller name · a1a847db

authored Mar 30, 2020

validate that a cgroup controller name is a valid
zero-terminated string before passing it to
`cgroup_ops->get_cgroup()`.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

a1a847db

28 Mar, 2020 6 commits
- tree-wide: s/recursive_destroy/lxc_rm_rf/g · d45c0d96
  Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  d45c0d96
- cgroups: better helper naming · 9b157781
  Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  9b157781
- cgroups: move check for valid monitor process up · 16a3be60
  Christian Brauner authored Mar 28, 2020
```
Cc: cenxianlong <cenxianlong@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  16a3be60
- monitor process exited by signal SIGKILL, clean cgroup resource by third party · e5da28dd
  cenxianlong authored Mar 28, 2020
```
Writing the value 0 to a cgroup.procs file causes the
writing process to be moved to the corresponding cgroup
Signed-off-by: cenxianlong <cenxianlong@huawei.com>
```
  e5da28dd
- cgroups: please compilers · 7457a8b8
  Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  7457a8b8
- cgroups: use hidden directory for attaching cgroup · cafffc3d
  Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  cafffc3d
27 Mar, 2020 11 commits

conf: simplify userns_exec_minimal() · 2f1a5e77
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
2f1a5e77
conf: introduce and use userns_exec_minimal() · f95c658c
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
f95c658c
Revert "cgroups: fix unified cgroup attach" · 38d12ae6
Christian Brauner authored Mar 27, 2020
```
This reverts commit ba7ca43b.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
38d12ae6

fixup i/o handler return values · 3e9a7326

authored Mar 27, 2020

Particularly important for lxc_cmd_handler() handles client
input and should not be capable of canceling the main loop,
some syscall return values leaked through overlapping with
LXC_MAINLOOP_ERROR, causing unauthorized clients connecting
to the command socket to shutdown the main loop.

In turn, signal_handler() receiving unexpected
`signalfd_siginfo` struct sizes seems like a reason to bail
(since it's a kernel interface).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

3e9a7326

cgroups: fix unified cgroup attach · 5c70927b

authored Mar 27, 2020

There's a fundamental problem with futexes and setid calls and the go runtime.
POSIX requires that when one thread setids all threas must setids and it uses
futexes and signals to synchronize the state across threads. This causes
deadlocks which means we can't use the pretty solution I first implemented.
Instead we need to chown after we create the directory. I might come up with
something smarter later but for now this will do.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

5c70927b

cgroups: remove unused variable · 04435b80
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
04435b80
attach: use close_prot_errno_disarm() · 54b4c137
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
54b4c137

cgroups: rework __cg_unified_attach() · 2bc38e68

authored Mar 27, 2020

We didn't account for cgroup_attach() succeeding and just tried to attach to
the same cgroup again which doesn't make sense.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

2bc38e68

cgroups: move pointer dereference after check · 17b12f31
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
17b12f31
commands: log actual errno when lxc_cmd_get_cgroup2_fd() fails · c82fb6b3
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
c82fb6b3
conf: rework and fix leak in userns_exec_1() · 8dca61de
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
8dca61de

26 Mar, 2020 5 commits
- cgroups: fix attaching to the unified cgroup · d8d38da1
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  d8d38da1
- dir: improve dir backend · d06e1513
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  d06e1513
- dir: use cleanup macro in dir_mount() · 53209ca4
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  53209ca4
- tree-wide: harden mount option parsing · 039f2a91
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  039f2a91
- [lxc.service] Starts after remote-fs.target to allow containers relying on remote FS to work · f3151f06
  Pierre-Elliott Bécue authored Mar 25, 2020
```
Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>
```
  f3151f06