- 17 Nov, 2016 22 commits
-
-
tw19881113@gmail.com authored
jenkins: ok to test Signed-off-by:Tw <tw19881113@gmail.com>
-
Danil Osherov authored
As lxc_attach() calls fork() PyOS_AfterFork should be called in the new process if the Python interpreter will continue to be used. Signed-off-by:Danil Osherov <shindo@yandex-team.ru>
-
Eva Charlotte Mayer authored
Signed-off-by:Eva Charlotte Mayer <eva-charlotte.mayer@posteo.de>
-
Wesley M authored
Signed-off-by:
Wesley Marques <wesleymr.27@gmail.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Andre McCurdy authored
zgrep is a script provided by the 'gzip' package, which may not be installed on embedded systems etc which use busybox instead of the standard full-featured utilities. Signed-off-by:Andre McCurdy <armccurdy@gmail.com>
-
Li Qiu authored
Physical nic is not instantiated in lxc_create_network Signed-off-by:Li Qiu <li.qiu@nomovok.com>
-
Stéphane Graber authored
Signed-off-by:
Serge Hallyn <serge.hallyn@canonical.com>
-
Stéphane Graber authored
Signed-off-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
Closes #712 Signed-off-by:
-
Serge Hallyn authored
This is to avoid: https://errors.ubuntu.com/problem/d640a68bf7343705899d7ca8c6bc070d477cd845Signed-off-by:
-
Christian Brauner authored
Check if symbols SCMP_ARCH_ARM and SCMP_ARCH_PPC are defined. Signed-off-by:
Christian Brauner <christian.brauner@mailbox.org> Acked-by:
-
Serge Hallyn authored
Generally we enforce that a [arch] seccomp section can only be used on [arch]. However, on amd64 we allow [i386] sections for i386 containers, and there we also take [all] sections and apply them for both 32- and 64-bit. Do that also for ppc64 and arm64. This allows seccomp-protected armhf containers to run on arm64. Signed-off-by:
-
Serge Hallyn authored
In which case lxc will not update the apparmor profile at all. Signed-off-by:
-
fli authored
The commit: e5848d39 <netdev_move_by_index: support wlan> only made netdev_move_by_name support wlan, instead of netdev_move_by_index. Given netdev_move_by_name is a wrapper of netdev_move_by_index, so here replacing all of the call to lxc_netdev_move_by_index with lxc_netdev_move_by_name to let lxc-start support wlan phys. Signed-off-by:
fupan li <fupan.li@windriver.com> Acked-by:
-
Stéphane Graber authored
This is currently breaking our daily image builds which happen in a perfectly clean environment without a Debian keyring and without anything in /var/cache/lxc Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
It breaks container starts. This reverts commit 473ebc77.
-
Serge Hallyn authored
Commit b6b2b194 preserves the container's namespaces for possible later use in stop hook. But some kernels don't have /proc/pid/ns/ns for all the namespaces we may be interested in. So warn but continue if this is the case. Implement stgraber's suggested semantics. - User requests some namespaces be preserved: - If /proc/self/ns is missing => fail (saying kernel misses setns) - If /proc/self/ns/<namespace> entry is missing => fail (saying kernel misses setns for <namespace>) - User doesn't request some namespaces be preserved: - If /proc/self/ns is missing => log an INFO message (kernel misses setns) and continue - If /proc/self/ns/<namespace> entry is missing => log an INFO message (kernel misses setns for <namespace>) and continue Signed-off-by:
-
Serge Hallyn authored
lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes #654 Signed-off-by: -
Virgil Dupras authored
When running the debian template on a non-debian host, it's usual not to have debian-archive-keyring.gpg. When that happens, we skip the signature checking of the release, which is dangerous because it's made over HTTP. This commit adds automatic fetching of Debian release keys. Strongly related to #409 Signed-off-by:Virgil Dupras <hsoft@hardcoded.net>
-
Fox Wilson authored
This fixes invocations of certain commands when python3 is installed in a nonstandard path (/usr/local/bin, for example). Signed-off-by:Fox Wilson <2016fwilson@tjhsst.edu>
-
Serge Hallyn authored
Signed-off-by:
-
- 12 Nov, 2015 1 commit
-
-
Stéphane Graber authored
- Update list of supported releases - Make the fallback release trusty - Don't specify the compression algorithm (use auto-detection) so that people passing tarballs to the template don't see regressions. Signed-off-by:
-
- 10 Nov, 2015 1 commit
-
-
KATOH Yasufumi authored
* fix "reg" to "req" in English (fix for commit b8683fef) * change "opt" to "req" in Japanese Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
- 09 Nov, 2015 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 06 Nov, 2015 12 commits
-
-
Jakub Sztandera authored
The systemd-sysctl service includes condition that /proc/sys/ has to be read-write. In lxc only /proc/sys/net/ is read-write which causes the condition to fail and service not to run. This patch changes the check to /proc/sys/net/ and makes the service apply only rules that are in net tree. Signed-off-by:Jakub Sztandera <kubuxu@gmail.com>
-
Christian Brauner authored
Instead of duplicating the cleanup-code, once for success and once for failure, simply keep a variable fret which is -1 in the beginning and gets set to 0 on success or stays -1 on failure. Signed-off-by:
Christian Brauner <christianvanbrauner@gmail.com> Acked-by:
-
Christian Brauner authored
The mount_entry_overlay_dirs() and mount_entry_aufs_dirs() functions create workdirs and upperdirs for overlay and aufs lxc.mount.entry entries. They try to make sure that the workdirs and upperdirs can only be created under the containerdir (e.g. /path/to/the/container/CONTAINERNAME). In order to do this the right hand side of if ((strncmp(upperdir, lxcpath, dirlen) == 0) && (strncmp(upperdir, rootfs->path, rootfslen) != 0)) was thought to check if the rootfs->path is not present in the workdir and upperdir mount options. But the current check is bogus since it will be trivially true whenever the container is a block-dev or overlay or aufs backed since the rootfs->path will then have a form like e.g. overlayfs:/some/path:/some/other/path This patch adds the function ovl_get_rootfs_dir() which parses rootfs->path by searching backwards for the first occurrence of the delimiter pair ":/". We do not simply search for ":" since it might be used in path names. If ":/" is not found we assume the container is directory backed and simply return strdup(rootfs->path). Signed-off-by: -
Serge Hallyn authored
The lxc monitor does not store the container's cgroups, rather it recalculates them whenever needed. Systemd moves itself into a /init.scope cgroup for the systemd controller. It might be worth changing that (by storing all cgroup info in the lxc_handler), but for now go the hacky route and chop off any trailing /init.scope. I definately thinkg we want to switch to storing as that will be more bullet-proof, but for now we need a quick backportable fix for systemd 226 guests. Signed-off-by:
-
Christian Brauner authored
The mount_entry_create_*_dirs() functions currently assume that the rootfs of the container is actually named "rootfs". This has the consequence that del = strstr(lxcpath, "/rootfs"); if (!del) { free(lxcpath); lxc_free_array((void **)opts, free); return -1; } *del = '\0'; will return NULL when the rootfs of a container is not actually named "rootfs". This means the we return -1 and do not create the necessary upperdir/workdir directories required for the overlay/aufs mount to work. Hence, let's not make that assumption. We now pass lxc_path and lxc_name to mount_entry_create_*_dirs() and create the path directly. To prevent failure we also have mount_entry_create_*_dirs() check that lxc_name and lxc_path are not empty when they are passed in. Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
We didn't do it before, and it makes testcases fail. Signed-off-by: -
Serge Hallyn authored
lxc-usernsexec was using fd 0 and reopening it as 0,1,2 for the new task. If doing "lxc-usernsexec .. < script" this will corrupt the file 'script'. Reported-by:
Fiedler Roman <Roman.Fiedler@ait.ac.at> Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
It's often been reported that the behavior of lxc-create without -t is a bit confusing. This change makes lxc-create require the --template option and introduces a new "none" special value which when set will fallback to the old template-less behavior. Signed-off-by:
-
- 14 Oct, 2015 1 commit
-
-
Stéphane Graber authored
This makes stable-1.0, stable-1.1 and master all be in sync with regard to apparmor. This has the nice added benefit of fixing an apparmor regression with /dev/pts handling in some older kernels. Signed-off-by:
-
- 07 Oct, 2015 2 commits
-
-
Wolfgang Bumiller authored
Signed-off-by:
Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by:
-
Wolfgang Bumiller authored
Signed-off-by:
-
