Skip to content

L
lxc
Switch branch/tag
  1. 05 Feb, 2019 1 commit
  3. 01 Feb, 2019 3 commits
  5. 31 Jan, 2019 2 commits
  7. 29 Jan, 2019 2 commits
    • Merge pull request #2817 from Rachid-Koucha/patch-5 · 9fc6fd21
      Christian Brauner authored 
      More accurate error msg for template file
    • More accurate error msg for template file · b275efe3
      Rachid Koucha authored 
      When calling lxc-create, if the template exists but is not executable, we end with the following error messages which make believe that the template file does not exist when it is merely a execute access problem:

lxc-create: ctn00: utils.c: get_template_path: 918 No such file or directory - bad template: /.../lxc-busybox
lxc-create: ctn00: lxccontainer.c: do_lxcapi_create: 1786 Unknown template "/.../lxc-busybox"
lxc-create: ctn00: tools/lxc_create.c: main: 327 Failed to create container ctn00

Actually internally the errno is lost as the following code triggers a useless access to (strace output):

access("/.../lxc-busybox", X_OK) = -1 ENOENT (No such file or directory)

With the above fix, we get a more explicit error message when the template file is missing the "execute" bit:

lxc-create: bbc: utils.c: get_template_path: 917 Permission denied - Bad template pathname: /tmp/azerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/azerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc

With the above fix, we get a more explicit error message when the pathname of the template file is incorrect:

lxc-create: bbc: utils.c: get_template_path: 917 No such file or directory - Bad template pathname: /tmp/qwerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/qwerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc
Signed-off-by: 's avatarRachid Koucha <rachid.koucha@gmail.com>
  9. 28 Jan, 2019 4 commits
  11. 27 Jan, 2019 15 commits
  13. 26 Jan, 2019 6 commits
  15. 21 Jan, 2019 4 commits
    • Merge pull request #2794 from brauner/2019-01-21/revert_seccomp_fuckup · 5283a118
      Wolfgang Bumiller authored 
      Revert "seccomp: add rules for specified architecture only"
    • Revert "seccomp: add rules for specified architecture only" · 3e9671a1
      Christian Brauner authored 
      This reverts commit f1bcfc79.

The reverted branch breaks starting all seccomp confined containers. Not
even a containers with our standard seccomp profile starts correctly.
This is strong evidence that these changes have never been tested even
with a standard workload. That is unacceptable!

We are still happy to merge that feature but going forward we want tests
that verify that standard workloads and new features work correctly.
seccomp is a crucial part of our security story and I will not let the
be compromised by missing tests!
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • Merge pull request #2786 from lifeng68/fix_seccomp · b6825c4b
      Christian Brauner authored 
      seccomp: add rules for specified architecture only
    • seccomp: add rules for specified architecture only · f1bcfc79
      LiFeng authored 
      If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.

1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: 's avatarLiFeng <lifeng68@huawei.com>
  17. 18 Jan, 2019 3 commits