- 20 Sep, 2014 7 commits
-
-
Serge Hallyn authored
To ask cgmanager to chown files as an unpriv user, we must send the request from the container's namespace (with our own userid also mapped in). However when we create a new namespace then we must open a new dbus connection, so that our credential and the credential on the dbus socket match. Otherwise the proxy will refuse the request. Because we were warning about this failure but not exiting, the failure was not noticed until the unprivileged container went on to try to administer its cgroups, i.e. creating a container inside itself. Fix this by having the do_chown_cgroup create a new cgmanager connection. In order to reduce the number of connections, since the list of subsystems is global anyway, don't call do_chown_cgroup once for each controller, just call it once and have it run over all controllers. (This patch does not change the fact that we don't fail if the chown failed. I think we should change that, but let's do it in a later patch) Reported-by:
Stéphane Graber <stgraber@ubuntu.com> Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
-
S.Çağlar Onur authored
With the new hashed command socket names (e8589841), it's possible to have something like below; [caglar@qop:~/go/src/github.com/lxc/go-lxc(master)] cat /proc/net/unix | grep lxc 0000000000000000: 00000002 00000000 00010000 0001 01 53465 @lxc/d086e835c86f4b8d/command [...] list_active_containers reads /proc/net/unix to find all running containers but this new format no longer includes the container name or its lxcpath. This patch introduces two new commands (LXC_CMD_GET_NAME and LXC_CMD_GET_LXCPATH) and starts to use those in list_active_containers call. changes since v1: - added sanity check proposed by Serge Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Daniel Miranda authored
distutils can't handle paths to source files containing '..'. It will try to navigate away from the build directory and fail. To fix that, before building the python module, transform all the path variables then cd to the srcdir, and set the build directory manually. This is hopefully the last needed fix to use separate build and source diretories. Signed-off-by:
Daniel Miranda <danielkza2@gmail.com> Acked-by:
-
Daniel Miranda authored
Now that default.conf is generated/linked during the configuration phase, it should not longer be removed in the 'clean' stage, or subsequent builds will fail. Only remove it during 'dist-clean'. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Denis Pynkin authored
Added check of services in container before start or stop. Added check of syslog config existence prior changing. Signed-off-by:
Denis Pynkin <dans@altlinux.org> Acked-by:
-
- 19 Sep, 2014 12 commits
-
-
Serge Hallyn authored
If statvfs does not exist, then don't recalculate mount flags at remount. If someone does need this, they could replace the code (only if !HAVE_STATVFS) with code parsing /proc/self/mountinfo (which exists in the recent git history) Signed-off-by:
-
Serge Hallyn authored
Same problem as we had with mount_entry(). lxc_mount_auto_mounts() sometimes does bind mount followed by remount to change options. With recent kernels it must pass any preexisting NODEV/NOSUID/etc flags. Signed-off-by:
-
Serge Hallyn authored
Use statvfs instead of parsing /proc/self/mountinfo to check for the flags we need to and into the msbind mount flags. This will be faster and the code is cleaner. Signed-off-by:
-
Daniel Miranda authored
Building LXC in a separate target directory, by running configure from outside the source tree, failed with multiple errors, mostly in the Python and Lua extensions, due to assuming the source dir and build dir are the same in a few places. To fix that: - Pre-process setup.py with the appropriate directories at configure time - Introduce the build dir as an include path in the Lua Makefile - Link the default container configuration file from the alternatives in the configure stage, instead of setting a variable and using it in the Makefile Signed-off-by:
-
Serge Hallyn authored
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs and running setuid-root applications to get write access to u1's container rootfs. v2: set umask to 002 for the mkdir. Otherwise if umask happens to be, say, 022, then user does not have write permissions under the container dir and creation of $containerdir/partial file will fail. Signed-off-by:
-
S.Çağlar Onur authored
Signed-off-by:
-
S.Çağlar Onur authored
Unprivileged users require "-o user_subvol_rm_allowed" mount option for btrfs. Make the INFO level message to ERROR to make it clear, which now says following; [caglar@qop:~] lxc-destroy -n rubik lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed? lxc_container: Error destroying rootfs for rubik Destroying rubik failed Signed-off-by:
-
TAMUKI Shoichi authored
- If "installpkg" command does not exist, lxc-plamo temporarily install the command with static linked tar command into the lxc cache directory. The tar command does not refer to passwd/group files, which means that only a few files/directories are extracted with wrong user/group ownership. To avoid this, the installpkg command now uses the standard tar command in the system. - Change mode to 666 for $rootfs/dev/null to allow write access for all users. - Small fix in usage message. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
KATOH Yasufumi <karma@jazz.email.ne.jp>
-
Serge Hallyn authored
A long enough lxcpath (and small PATH_MAX through crappy defines) can cause the creation of the string to be hashed to fail. So just use alloca to get the size string we need. More importantly, while I can't explain it, if lxcpath is too long, setting sockname[sizeof(addr->sun_path)-2] to \0 simply doesn't seem to work. So set sockname[sizeof(addr->sun_path)-3] to \0, which does work. With this, and with lxc.lxcpath = /opt/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789 in /etc/lxc/lxc.conf, I can run lxc-wait just fine. Without it, it fails (as does lxc-start -d, which uses lxc_wait to verify the container started) Signed-off-by:
-
Serge Hallyn authored
The container command socket is an abstract unix socket containing the lxcpath and container name. Those can be too long. In that case, use the hash of the lxcpath and lxcname. Continue to use the path and name if possible to avoid any back compat issues. Signed-off-by:
-
KATOH Yasufumi authored
This commit is the same as the commit 18aa217b and 99e616a6 on master branch, except "ALL" keyword. Signed-off-by:
-
Stéphane Graber authored
Those aren't supported, it's just a lucky coincidence that they weren't causing problems. Signed-off-by:
-
- 18 Aug, 2014 3 commits
-
-
Stéphane Graber authored
This should avoid tests failure when the machine running the tests has either very slow disks or a lot of data waiting to be flushed. Signed-off-by: -
Serge Hallyn authored
See http://lkml.org/lkml/2014/8/13/746 and its history. The kernel now refuses mounts if we don't add ro,nosuid,nodev,noexec flags if they were already there. Also use the newly found info to skip remount if unneeded. For background, if you want to create a read-only bind mount, then you must first mount(2) with MS_BIND to create the bind mount, then re-mount(2) again to get the new mount options to apply. So if this wasn't a bind mount, or no new mount options were introduced, then we don't do the second mount(2). null_endofword() and get_field() were not changed, only moved up in the file. (Note, while I can start containers inside a privileged container with this patch, most of the lxc tests still fail with the kernel in question; Andy's patch seems to still be needed - a kernel with which is available at https://launchpad.net/~serge-hallyn/+archive/ubuntu/userns-natty ppa:serge-hallyn/userns-natty) Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
- 16 Aug, 2014 11 commits
-
-
Stéphane Graber authored
This commit broke the testsuite for unprivileged containers as the container directory is now 0750 with the owner being the container root and the group being the user's group, meaning that the parent user can only enter the directory, not create entries in there. This reverts commit c86da6a3.
-
Stéphane Graber authored
Signed-off-by: -
Micahel J. Evans authored
This is an hybrid between Micahel's original patch and me making the new debugging statements look like our existing ones. Signed-off-by:
"Micahel J. Evans" <mjevans1983@gmail.com> Signed-off-by:
-
Lars Wikberg authored
Signed-off-by:
Lars Wikberg <lars.wikberg@anvia.com> Acked-by:
-
Serge Hallyn authored
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs and running setuid-root applications to get write access to u1's container rootfs. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com>
-
Serge Hallyn authored
(Thanks, Dwight, this one look right?) Make sure we reap our child at cgm_{s,g}et. Changelog: Fix change in behavior on empty read from the do_cgm_get() helper that was spotted by Dwight. Signed-off-by: -
S.Çağlar Onur authored
Raspberry Pi kernel finally supports all the bits required by LXC [1] This patch makes "./configure --with-distro=raspbian" to install lxcbr0 based config file and upstart jobs. Also src/lxc/lxc.net now checks the existence of the lxc-dnsmasq user (and fallbacks to dnsmasq) RPI users still need to pass "MIRROR=http://archive.raspbian.org/raspbian/" parameter to lxc-create to pick the correct packages MIRROR=http://archive.raspbian.org/raspbian/ lxc-create -t debian -n rpi [1] https://github.com/raspberrypi/linux/issues/176 stable-1.0: Cherry-picked from master minus the lxc-net change as lxc-net isn't available in LXC 1.0.x. Instead it is assumed that the distribution will take care of setting up the network (lxcbr0 in this case). Signed-off-by:
-
Serge Hallyn authored
This would have caught a regression in Ubuntu's 3.16 kernel. Signed-off-by:
-
Serge Hallyn authored
We were allocating sizeof(tree) instead of sizeof(*tree). Signed-off-by:
-
Serge Hallyn authored
Actually, get rid of the temporary variables, and set newname and lxcpath to usable values if they were NULL. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 96f15ca1Signed-off-by:
-
- 08 Aug, 2014 7 commits
-
-
Serge Hallyn authored
logpath has been supported through lxc-start command line, but not through the API. Since the lxc.console is now required to be a device, support lxc.console.logfile to be a simple file to which console output will be logged. clear_config_item is not supported, as it isn't for lxc.console, bc you can do 'lxc.console.logfile =' to clear it. (This patch is for stable-1.0) Signed-off-by:
-
Serge Hallyn authored
They don't work right now, so until we fix that, don't allow it. (This patch is for stable-1.0) Signed-off-by:
-
Jean-Tiare LE BIGOT authored
When `lxc.autodev = 0` and empty tmpfs is mounted on /dev and private pts are requested, we need to ensure '/dev/pts' exists before attempting to mount devpts on it. Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
-
Vincent Giersch authored
Signed-off-by:
Vincent Giersch <vincent.giersch@ovh.net> Acked-by:
-
Vincent Giersch authored
Especially when using the Python API, the child process inherits of the file descriptiors of the script. Signed-off-by:
-
Jean-Tiare LE BIGOT authored
Signed-off-by:
-
rabisg authored
Signed-off-by:
Rabi Shanker Guha <guha.rabishankar@gmail.com> Acked-by:
-
