Commits · d1783ef4d0fb1c6e1e9ab9876c46bb6814da4d18 · Chen Yisong / lxc

30 Mar, 2020 1 commit

cgroups: handle older kernels (e.g. v4.9) · d1783ef4

authored Mar 30, 2020

On olders kernels the restrictions to move processes between cgroups are
different than they are on newer kernels. Specifically, we're running into the
following check:

if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
    !uid_eq(cred->euid, tcred->uid) &&
    !uid_eq(cred->euid, tcred->suid))
        ret = -EACCES;

which dictates that in order to move a process into a cgroup one either needs
to be global root (no restrictions apply) or the effective uid of the process
trying to move the process and the {saved}uid of the process that is supposed
to be moved need to be identical. The new attaching logic we did didn't
fulfill this criterion for because it's not present on new kernels.

Closes https://github.com/lxc/lxd/issues/7104.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

d1783ef4

28 Mar, 2020 7 commits
- Merge pull request #3338 from brauner/2020-03-28/fixes · 6821739c
  Stéphane Graber authored Mar 28, 2020
```
tree-wide: fixes
```
  6821739c
- tree-wide: s/recursive_destroy/lxc_rm_rf/g · 8408a9cc
  Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  8408a9cc
- cgroups: better helper naming · de6fe132
  Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  de6fe132
- cgroups: move check for valid monitor process up · c468e4d4
  Christian Brauner authored Mar 28, 2020
```
Cc: cenxianlong <cenxianlong@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  c468e4d4
- Merge pull request #3337 from bale-cen/master · 24e84b34
  Christian Brauner authored Mar 28, 2020
```
monitor process exited by signal SIGKILL, clean cgroup resource by th…
```
  24e84b34
- Merge pull request #3336 from brauner/2020-03-28/fixes · c396f8e6
  Stéphane Graber authored Mar 27, 2020
```
cgroups: please compilers
```
  c396f8e6
- monitor process exited by signal SIGKILL, clean cgroup resource by third party · 8fcb908d
  cenxianlong authored Mar 28, 2020
```
Writing the value 0 to a cgroup.procs file causes the
writing process to be moved to the corresponding cgroup
Signed-off-by: cenxianlong <cenxianlong@huawei.com>
```
  8fcb908d
27 Mar, 2020 18 commits

cgroups: please compilers · 5045306b
Christian Brauner authored Mar 28, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
5045306b
Merge pull request #3335 from brauner/2020-03-27/fixes · 3021b574
Stéphane Graber authored Mar 27, 2020
```
cgroups: use hidden directory for attaching cgroup
```
3021b574
cgroups: use hidden directory for attaching cgroup · 275e8ef8
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
275e8ef8
Merge pull request #3333 from brauner/2020-03-27/fixes · 334c3bfe
Stéphane Graber authored Mar 27, 2020
```
conf: simplify userns_exec_minimal()
```
334c3bfe
conf: simplify userns_exec_minimal() · dbfcdf86
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
dbfcdf86
Merge pull request #3332 from brauner/2020-03-27/fixes · 64e4f715
Stéphane Graber authored Mar 27, 2020
```
attach: fixes
```
64e4f715
conf: introduce and use userns_exec_minimal() · edf88289
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
edf88289
Revert "cgroups: fix unified cgroup attach" · 4b86fefd
Christian Brauner authored Mar 27, 2020
```
This reverts commit ba7ca43b.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
4b86fefd
Merge pull request #3331 from brauner/2020-03-27/fixes · c0c183b3
Stéphane Graber authored Mar 27, 2020
```
tree-wide: fixes
```
c0c183b3

fixup i/o handler return values · f7a97743

authored Mar 27, 2020

Particularly important for lxc_cmd_handler() handles client
input and should not be capable of canceling the main loop,
some syscall return values leaked through overlapping with
LXC_MAINLOOP_ERROR, causing unauthorized clients connecting
to the command socket to shutdown the main loop.

In turn, signal_handler() receiving unexpected
`signalfd_siginfo` struct sizes seems like a reason to bail
(since it's a kernel interface).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

f7a97743

cgroups: fix unified cgroup attach · ba7ca43b

authored Mar 27, 2020

There's a fundamental problem with futexes and setid calls and the go runtime.
POSIX requires that when one thread setids all threas must setids and it uses
futexes and signals to synchronize the state across threads. This causes
deadlocks which means we can't use the pretty solution I first implemented.
Instead we need to chown after we create the directory. I might come up with
something smarter later but for now this will do.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

ba7ca43b

Merge pull request #3330 from brauner/2020-03-27/fixes · d4a5002b
Stéphane Graber authored Mar 27, 2020
```
conf: rework and fix leak in userns_exec_1()
```
d4a5002b
cgroups: remove unused variable · 0d113b16
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
0d113b16
attach: use close_prot_errno_disarm() · 8bc2b675
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
8bc2b675

cgroups: rework __cg_unified_attach() · 32908bfd

authored Mar 27, 2020

We didn't account for cgroup_attach() succeeding and just tried to attach to
the same cgroup again which doesn't make sense.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

32908bfd

cgroups: move pointer dereference after check · 7c2c435c
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
7c2c435c
commands: log actual errno when lxc_cmd_get_cgroup2_fd() fails · a5263e59
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
a5263e59
conf: rework and fix leak in userns_exec_1() · 766c5b6d
Christian Brauner authored Mar 27, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
766c5b6d

26 Mar, 2020 6 commits
- Merge pull request #3329 from brauner/2020-03-25/fixes · 8c6a7ee4
  Stéphane Graber authored Mar 26, 2020
```
cgroups: fix attaching to the unified cgroup
```
  8c6a7ee4
- cgroups: fix attaching to the unified cgroup · 7581a82f
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  7581a82f
- Merge pull request #3328 from brauner/2020-03-25/fixes · 45d6d89b
  Stéphane Graber authored Mar 26, 2020
```
tree-wide: fixes
```
  45d6d89b
- dir: improve dir backend · 65146c97
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  65146c97
- dir: use cleanup macro in dir_mount() · 0f2e3566
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  0f2e3566
- tree-wide: harden mount option parsing · a08bfbe3
  Christian Brauner authored Mar 26, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  a08bfbe3
25 Mar, 2020 4 commits
- Merge pull request #3327 from P-EB/master · 75688909
  Stéphane Graber authored Mar 25, 2020
```
lxc.service: Starts after remote-fs.target
```
  75688909
- [lxc.service] Starts after remote-fs.target to allow containers relying on remote FS to work · c82d7763
  Pierre-Elliott Bécue authored Mar 25, 2020
```
Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>
```
  c82d7763
- lxc_init: add missing O_CLOEXEC · 591f6f44
  Christian Brauner authored Mar 25, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  591f6f44
- lxc_init: move main() down · ed586164
  Christian Brauner authored Mar 25, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  ed586164
24 Mar, 2020 4 commits
- configure.ac: Reset devel flag post-release · c40aa8c8
  Stéphane Graber authored Mar 24, 2020
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
  c40aa8c8
- Release LXC 4.0.0 · a8565bb4
  Stéphane Graber authored Mar 24, 2020
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
  a8565bb4
- Merge pull request #3325 from brauner/2020-03-24/fixes · cf4c6339
  Stéphane Graber authored Mar 24, 2020
```
make dist: add missing files
```
  cf4c6339
- Merge pull request #3324 from stgraber/master · 57bb83f0
  Christian Brauner authored Mar 24, 2020
```
lxc-download: Pre-release bump of compat
```
  57bb83f0