- 04 Sep, 2017 7 commits
-
-
Stéphane Graber authored
criu: add cmp_version()
-
Federico Briata authored
We cannot use strcmp(). Otherwise we incorrectly report e.g. that criu 2.12.1 is less than 2.8. Signed-off-by:
Federico Briata <federico-pietro.briata@cnhind.com> Signed-off-by:
Christian Brauner <christian.brauner@ubuntu.com>
-
Stéphane Graber authored
console: non-functional change
-
Stéphane Graber authored
conf: don't send ttys when none are configured
-
Christian Brauner authored
It is bad style to close an fd inside a function which didn't create it. Let's rather close it transparently in start.c. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Serge Hallyn authored
network: improvements + bugfixes
-
- 03 Sep, 2017 9 commits
-
-
Christian Brauner authored
Writes < PIPE_BUF will be atomic. PIPE_BUF is guaranteed to be 512 by POSIX and Linux guarantess 4096. Nothing we send around goes over this limit. Signed-off-by: -
Christian Brauner authored
I thought we could send all ttys at once but this limits the number of ttys users can use because of iovec_len restrictions. So let's sent them in batches of 2. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
lxc_mkifname() really doesn't need to allocate any memory. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Also move all functions to network.{c,h}. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Since find_line() was changed before count_entries() started counting lines wrong. It would report maximum reached before you actually reached your alloted maximum. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
-
- 02 Sep, 2017 2 commits
-
-
Christian Brauner authored
Assume the db contained the following entries: chb veth lxcbr0 veth1 chb veth lxcbr0 veth2 chb veth lxdbr0 veth3 chb veth lxdbr0 veth2 didi veth lxcbr0 veth4 And you request cull_entries("chb", "veth", "lxdbr0", "veth3"); lxc-user-nic would wipe any entries that did not match irrespective of whether they existed or not. Let's fix that. Signed-off-by: -
Christian Brauner authored
The code before inserted \0-bytes after every new line which made the db basically unusable. Signed-off-by:
-
- 01 Sep, 2017 9 commits
-
-
Christian Brauner authored
We use data_sock for all things we need to send around between parent and child now. It doesn't make sense to have so many different pipes and sockets if one will do just fine. Signed-off-by: -
Dimitri John Ledkov authored
Signed-off-by:
Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by:
-
Dimitri John Ledkov authored
If netplan is present in the container, configure default networking with neplan instead of ifupdown. Also, do not install ifupdown when boostrapping minbase variant, unless using currently support non-netplan releases (trusty, zenial, zesty). Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
liblxc will now correctly log any network device names and ifindeces in their respective network namespaces. So there's no need to record physical network devices any more. This spares us heap allocations and memory we need to have lying around til the container is shutdown. Signed-off-by: -
Christian Brauner authored
On privileged network creation we only retrieved the names and ifindeces of network devices in the host's network namespace. This meant that the monitor process was acting on possibly incorrect information. With this commit we have the child send back the correct device names and ifindeces in the container's network namespace. Signed-off-by: -
Christian Brauner authored
This renames the socketpair() variable "ttysock" to "data_sock" since we will use it to send arbitrary data around, not just ttys anymore. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
All network devices can only be of size < IFNAMSIZ. So let's spare the useless heap allocations and use static memory. Signed-off-by:
-
- 31 Aug, 2017 11 commits
-
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
- check for error on ifindex retrieval - free allocated memory Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
- Retrieve the host's veth device ifindex in the host's network namespace. - Add a note why we retrieve the container's veth device ifindex in the host's network namespace. Signed-off-by: -
Serge Hallyn authored
lxc-user-nic: test privilege over netns on delete
-
Christian Brauner authored
- On unprivileged veth network creation have lxc-user-nic send the names of the veth devices and their respective ifindeces. The advantage of retrieving this information from lxc-user-nic is that we spare us sending around more stuff via the netpipe in start.c. Also, lxc-user-nic operates in both namespaces (the container's namespace and the hosts's namespace) via setns and so is guaranteed to retrieve the correct ifindex via if_nametoindex() which is an network namespace aware ioctl() call. While I'm pretty sure the ifindeces for veth devices are identical across network namespaces I'm weary to rely on this. We need the ifindexes to guarantee safe deletion of unprivileged network devices via lxc-user-nic later on since we use them to identify the network devices in their corresponding network namespaces. - Move the network device logging from the child to the parent. The child does not have all of the information about the network devices available only the few bits it actually needs to now. The monitor process is the only process that needs all this information. - The network creation code for privileged and unprivileged networks was previously mangled into one single function but at the same time some of the privileged code had additional functions that were called in other places in start.c. Let's divide and conquer and split out the privileged and unprivileged network creation into completely separate functions. This makes what's happening way more clear. This will also have no performance impact since either you are privileged and only execute the privileged network creation functions or you are unprivileged and only execute the unprivileged network creation functions. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
This is menial work but I'll thank myself later... a lot. Signed-off-by: -
Christian Brauner authored
We should not just record the ifindex for the container's veth device but also for the host's veth device. This is useful when {configuring,deconfiguring} veth devices and becomes crucial when calling our lxc-user-nic setuid helper where we rely on the ifindex to make decisions about whether we are licensed to perform certain operations on the veth device in question. Signed-off-by: -
Christian Brauner authored
If the user specified lxc.net.[i].veth.pair attribute to request that the host side of a veth pair be given a specific name let's log it at the trace level. Otherwise, if the user didn't not specify lxc.net.[i].veth.pair veth_attr.veth1 will contain the name of the host side veth device. Signed-off-by: -
Christian Brauner authored
When lxc-user-nic is called with the "delete" subcommand we need to make sure that we are actually privileged over the network namespace for which we are supposed to delete devices on the host. To this end we require that path to the affected network namespace is passed. We then setns() to the network namespace and drop privilege to the caller's real user id. Then we try to delete the loopback interface which is not possible. If we are privileged over the network namespace this operation will fail with ENOTSUP. If we are not privileged over the network namespace we will get EPERM. This is the first part of the commit. As of now nothing guarantees that the caller does not just give us a random path to a network namespace it is privileged over. Signed-off-by:
-
- 30 Aug, 2017 2 commits
-
-
Christian Brauner authored
This is the cause of the unnecessary extraneous slashes when creating cgroups. Our lxc.system.conf page also clearly shows "lxc/%n" as example, not "/lxc%n". Signed-off-by: -
Christian Brauner authored
Remove executable bit. Signed-off-by:
-
