Commits · c756a6e91b6d6da2ff8a21b5a4ece26b05b99283 · Chen Yisong / lxc

13 Feb, 2014 12 commits

python3: Drop API warning and fix pep8/pyflakes3 · c756a6e9

authored Feb 13, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

c756a6e9

lxc-start-ephemeral: Use attach · 8158c057

authored Feb 13, 2014

With this change, systems that support it will use attach to run any
provided command.

This doesn't change the default behaviour of attaching to tty1, but it
does make it much easier to script or even get a quick shell with:
lxc-start-ephemeral -o p1 -n p2 -- /bin/bash

I'm doing the setgid,initgroups,setuid,setenv magic in python rather
than using the attach_wait parameters as I need access to the pwd module
in the target namespace to grab the required information.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

8158c057

Update rootfs README · 56930297
Stéphane Graber authored Feb 13, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
56930297
Fix crash in rename with undefined containers · d693cf93
Stéphane Graber authored Feb 13, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
d693cf93

lxc-ls: Add a few new columns · 63d4950f

authored Feb 13, 2014

This adds support for:
 - memory (total memory)
 - ram
 - swap
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

63d4950f

python3: Add missing get_running_config_item binding · 87d8dfe5

authored Feb 13, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

87d8dfe5

coverity: Do chdir following chroot · 6b9324bd

authored Feb 13, 2014

We used to do chdir(path), chroot(path). That's correct but not properly
handled coverity, so do chroot(path), chdir("/") instead as that's the
recommended way.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

6b9324bd

doc: Update lxc.container.conf(5) · 4473e38b

authored Feb 13, 2014

- Update Japanese man for commit a7c27357, seccomp v2
- Fix typo in English man
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

4473e38b

doc: Update Japanese man pages for aufs support · 48e49f08

authored Feb 13, 2014

Update lxc-clone(1) and lxc-snapshot(1) for commit 1f92162d
and improve some translations
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

48e49f08

overlayfs_clonepaths: if unpriv then rsync in a userns · 25190e5b

authored Feb 13, 2014

This allows lxc-snapshot and lxc-clone -s from an overlayfs container
to work unprivileged.  (lxc-clone -s from a directory backed container
already did work)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

25190e5b

Add the seccomp examples to EXTRA_DIST · e9e0ec99
Stéphane Graber authored Feb 12, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
e9e0ec99

seccomp: extend manpage, and add examples · a7c27357

authored Feb 12, 2014

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

a7c27357

12 Feb, 2014 18 commits

seccomp: don't support v2 if seccomp_syscall_resolve_name_arch is not avilable · 2b0ae718

authored Feb 12, 2014

Also don't use arm arch if not defined

This *should* fix build so precise, but I didn't fire one off.
I did test that builds with libseccomp2 still work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

2b0ae718

Fix some configure.ac issues · 5a15791e

authored Feb 12, 2014

 - Run on distro without lsb_release
 - Don't try and interpret with_runtime_path as a command
 - Don't print stuff on screen while in the middle of a check
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

5a15791e

travis: Build using the daily PPA · 4d213bd3

authored Feb 12, 2014

Now that we depend on seccomp2, the backport currently in precise is too
old to allow for a succesful build, so instead use ppa:ubuntu-lxc/daily
which contains recent versions of all needed build-dependencies.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

4d213bd3

coverity: Check return value from open · 585ed6b1

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

585ed6b1

coverity: Drop dead code · af61c481

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

af61c481

coverity: Don't store fgets return value if we don't use it · 4ad9f44b
Stéphane Graber authored Feb 12, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
```
4ad9f44b

coverity: check return value of fcntl in usernsexec · 35e3a0cd

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

35e3a0cd

coverity: Always check mkdir_p's return value · 119126b6

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

119126b6

coverity: Check return value of fcntl in lxc_popen · 57d2be54

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

57d2be54

coverity: Free bdev in clone_update_rootfs · e7de366c

authored Feb 12, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

e7de366c

seccomp: introduce v2 policy (v2) · 50798138

authored Feb 12, 2014

v2 allows specifying system calls by name, and specifying
architecture.  A policy looks like:

2
whitelist
open
read
write
close
mount
[x86]
open
read

Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31)  -
which confusingly returns 'EMLINK' on x86_64.  Note this change
is also done for v1 as I think it is worthwhile.

With this patch, I can in fact use a seccomp policy like:

2
blacklist
mknod errno 0

after which 'sudo mknod null c 1 3' silently succeeds without
creating the null device.

changelog v2:
  add blacklist support
  support default action
  support per-rule action
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

50798138

bdev: Add aufs support · 1f92162d

authored Feb 12, 2014

This is pretty much copy/paste from overlayfs.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

1f92162d

travis: Drop workaround introduced last week · e40bb7f4

authored Feb 12, 2014

Travis has now corrected the bug in their build environment so we no
longer need to force the autogen script through bash.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

e40bb7f4

lxc-start-ephemeral: Allow unprivileged run · a974fa76

authored Feb 12, 2014

This allows running lxc-start-ephemeral using overlayfs. aufs remains
blocked as it hasn't been looked at and patched to work in the kernel at
this point (not sure if it ever wil).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

a974fa76

check for access to lxcpath · c8154066

authored Feb 11, 2014

The previous check for access to rootfs->path failed in the case of
overlayfs or loop backign stores.  Instead just check early on for
access to lxcpath.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

c8154066

Fix build failure (broken makefile) · 8b605e23
Stéphane Graber authored Feb 11, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
8b605e23

tests: Don't hardcode architecture · fd2b7320

authored Feb 11, 2014

If on Ubuntu, then match the host's own architecture, this should allow
for our tests to pass on the armhf CI environment.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

fd2b7320

tests: Add lxc-test-autostart · 45794802

authored Feb 11, 2014

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

45794802

11 Feb, 2014 5 commits

bdev: allow unprivileged overlayfs snapshots · a7ef8753

authored Feb 11, 2014

Also make sure to chown the new rootfs path to the container owner.
This is how we make sure that the container root is allowed to write
under delta0.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

a7ef8753

Add --with-runtime-path to configure · 061ba5d0

authored Feb 11, 2014

This allows older distros to override /run with whatever their own path
is, mostly useful for old RedHat and possibly Android.
Reported-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

061ba5d0

conf: Save lxc.network.ipv4 broadcast address · be660853

authored Feb 11, 2014

Reported-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

be660853

lxcapi-snapshot: don't snapshot directory-backed containers · 8c39f7a4

authored Feb 10, 2014

Instead force a copy clone.  Else if the user makes a change
to the original container, the snapshot will be affected.
The user should first create a snapshot clone, then use
and snapshot that clone while leaving the original container
untouched.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

8c39f7a4

warn about insufficient permissions · bbd23aa0

authored Feb 10, 2014

With this patch, if an unprivileged user has $HOME 700 or
750 and does

lxc-start -n c1

he'll see an error like:

lxc_container: Permission denied - could not access /home/serge.  Please grant it 'x' access, or add an ACL for t he container root.

(This addresses bug pad.lv/1277466)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

bbd23aa0

10 Feb, 2014 1 commit

lxc-plamo: various small changes · ffeb76b4

authored Feb 08, 2014

- Change redirection of fd 200 to 9 (greater than 9 may conflict with
  fd the shell uses internally)
- Replace numeric line addressing of ed to regular expression to avoid
  correcting the line addressing at each modification of init scripts
- Correct the option order (trivial)
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

ffeb76b4

08 Feb, 2014 2 commits
- travis: Workaround buggy build environment · 271d94a3
  Stéphane Graber authored Feb 07, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
  271d94a3
- Whitespace fix · e4399ab9
  Stéphane Graber authored Feb 07, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
  e4399ab9
07 Feb, 2014 2 commits

bionic: Define faccessat if missing · 5f7eba0b
Stéphane Graber authored Feb 07, 2014
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
5f7eba0b

add_device_node: act in a chroot · d5aa23e6

authored Feb 07, 2014

The goal is to avoid an absolute symlink in the guest redirecting
us to the host's /dev.  Thanks to the libvirt team for considering
that possibility!

We want to work on kernels which do not support setns, so we simply
chroot into the container before doing any rm/mknod.  If /dev/vda5
is a symlink to /XXX, or /dev is a symlink to /etc, this is now
correctly resolved locally in the chroot.

We would have preferred to use realpath() to check that the resolved
path is not changed, but realpath across /proc/pid/root does not
work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

d5aa23e6