- 07 Aug, 2013 1 commit
-
-
Serge Hallyn authored
Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
-
- 26 Jul, 2013 1 commit
-
-
Serge Hallyn authored
Several places think that the current cgroup will be NULL rather than "/" when we're in the root cgroup. Fix that. Signed-off-by:
-
- 23 Jul, 2013 3 commits
-
-
Serge Hallyn authored
Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
It uses the newuidmap and newgidmap program to start a shell in a mapped user namespace. While newuidmap and newgidmap are setuid-root, lxc-usernsexec is not. If new{ug}idmap are not available, then this program is not built or installed. Otherwise, it will be used to support creating, starting, destroying, etc containers by unprivileged users using their authorized subuids and subgids. Example: usernsexec -m u:0:100000:1 -- /bin/bash will, if the user is authorized to use subuid 100000, start a bash shell in a user namespace where 100000 on the host is mapped to root in the namespace, and the shell is running as (privileged) root. Signed-off-by: -
Serge Hallyn authored
If we are euid==0 or XDG_RUNTIME_DIR is not set, then use /run/lock/lxc/$lxcpath/$lxcname as before. Otherwise, use $XDG_RUNTIME_DIR/lock/lxc/$lxcpath/$lxcname. Signed-off-by:
-
- 22 Jul, 2013 5 commits
-
-
Serge Hallyn authored
When doing reboot test, must add clone_newuser to clone flags, else we can't clone(CLONE_NEWPID). If we don't have caps at lxc-start, don't refuse to start. Drop the lxc_caps_check() function altogether as it is unused now. Signed-off-by:
-
Serge Hallyn authored
This is needed if we're going to have unprivileged users create containers inside cgroups which they own. Signed-off-by:
-
Serge Hallyn authored
don't try to lock if using a specified tarball The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs managed under /var/cache/lxc/cloud-$release. Don't lock if we've been handed a tarball. fake device creation Unprivileged users can't create devices, so bind mount null, tty, urandom and console from the host. Changelog: Jul 22: as Stéphane points out, remove a left-over debug line Signed-off-by:
-
Serge Hallyn authored
Just make sure we are root if we are asked to deal with something other than a directory, and make sure we have permission to create the container in the given lxcpath. The templates will need much more work. Signed-off-by:
-
Serge Hallyn authored
Up to now lxc-create ensured that you were running as root. Now the templates which require root need to do it for themselves. Templates which do mknod definately require root. Signed-off-by:
-
- 18 Jul, 2013 1 commit
-
-
Serge Hallyn authored
Signed-off-by:
-
- 17 Jul, 2013 1 commit
-
-
Serge Hallyn authored
The debugfs, fusectl, and securityfs may not be mounted inside a non-init userns. But mountall hangs waiting for them to be mounted. So just pre-mount them using $lxcpath/$name/fstab as bind mounts, which will prevent mountall from trying to mount them. If the kernel doesn't provide them, then the bind mount failure will be ignored, and mountall in the container will proceed without the mount since it is 'optional'. But without these bind mounts, starting a container inside a user namespace hangs. Signed-off-by:
-
- 16 Jul, 2013 4 commits
-
-
Dwight Engen authored
Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Signed-off-by:
-
John McFarlane authored
This commit increases the default timeout used by lxc-start-ephemeral from 5 to 10, and adds support for an LXC_IP_TIMEOUT override. Patchset 2: - Previous patch used a command line arg. Signed-off-by:
John McFarlane <john@rockfloat.com> Acked-by:
-
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Otherwise (a) there is a memory leak when using user namespaces and clearing a config, and (b) saving a container configuration file doesn't maintain the userns mapping. For instance, if container c1 has lxc.id_map configuration entries, then python3 import lxc c=lxc.Container("c1") c.save_config("/tmp/config1") should show 'lxc.id_map =' entries in /tmp/config1. Changelog for v2: 1. fix incorrect saving of group types (s/'c'/'g') 2. fix typo -> idmap->type should be idmap->idtype Reported-by:
-
- 15 Jul, 2013 1 commit
-
-
Serge Hallyn authored
Define a sha1sum_file() function in utils.c. Use that in lxcapi_create to write out the sha1sum of the template being used. If libgnutls is not found, then the template sha1sum simply won't be printed into the container config. This patch also trivially fixes some cases where SYSERROR is used after a fclose (masking errno) and missing consts in mkdir_p. Signed-off-by:
-
- 12 Jul, 2013 4 commits
-
-
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by: -
Serge Hallyn authored
If set, then fds 0,1,2 will be redirected while the creation template is executed. Note, as Dwight has pointed out, if fd 0 is redirected, then if templates ask for input there will be a problem. We could simply not redirect fd 0, or we could require that templates work without interaction. I'm assuming here that we want to do the latter, but I'm open to changing that. Reported-by:
"S.Çağlar Onur" <caglar@10ur.org> Acked-by:
-
zoolook authored
lxc-clone ignores size subfixes (K, M, G) when using -L parameter. The following is a quick patch to allow, for example, lxc-clone -L 10G. Signed-off-by:
Norberto Bensa <nbensa@gmail.com> Acked-by:
-
- 11 Jul, 2013 3 commits
-
-
Serge Hallyn authored
3.10 kernel comes with proper hierarchical enforcement of devices cgroup. To keep that code somewhat sane, certain things are not allowed. Switching from default-allow to default-deny and vice versa are not allowed when there are children cgroups. (This *could* be simplified in the kernel by checking that all child cgroups are unpopulated, but that has not yet been done and may be rejected) The mountcgroup hook causes lxc-start to break with 3.10 kernels, because you cannot write 'a' to devices.deny once you have a child cgroup. With this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets the container's devices cgroup, and (c) setup_cgroup() during lxc startup ignores failures to write to devices subsystem if we are already in a child of the container's new cgroup. ((a) is not really related to this bug, but is definately needed. The followup work of making the other hooks use the passed-in lxcpath is still to be done) Signed-off-by: -
Serge Hallyn authored
1. If no template is passed in, then do not try to execute it. The user just wanted to write the configuration. 2. If template is passed in as a full path, then use that instead of constructing '$templatedir/lxc-$template'. Reported-by:
Wanlong Gao <gaowanlong@cn.fujitsu.com> Signed-off-by:
-
Serge Hallyn authored
Make it its own function to make both more readable. Signed-off-by:
-
- 10 Jul, 2013 4 commits
-
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
This hook script updates the hostname in various files under /etc in the cloned container. In order to do so, the old container name is passed in the LXC_SRC_NAME environment variable. Signed-off-by:
-
Michael H. Warfield authored
Hey all! Patch for the Fedora template. Several things... 1) A month or so ago, I floated an idea of adding an option for utsname which Serge seemed to like but we let it float for more feedback (none came). 2) In private mail to Serge and Stéphane I mentioned the idea of using the CPE (Common Platform Enumeration) for host distro and version identification. I heard back from Serge but not Stéphane. CPE is a standard promoted by NIST and Mitre (along with CVE and CVSS) as part of the security community as a common identification mechanism. It's supported by RedHat based distros and many others (notable exception Ubuntu). I've patched the Fedora template to parse first the /etc/os-release file or, alternatively, the /etc/system-release-cpe file for the distro ID and version instead of the human readable /etc/redhat-release. There's more that can be done with that in the realm of cross distro container builds, I suspect. 3) At the time of working on 1&2 I noticed that the retry logic in the Fedora template just didn't seem right. I believe I posted a message asking for clarification on that behavior. A recently post in the -users list indicating that someone could not create a Fedora 19 container (because the release ver string was 19-2 and the template was only looking for -1) prompted me to rework the retry logic for handling the mirror list and servers as well as revamp the download logic to properly identify the correct release package. The patch for all of the above is attached below the jump. It's been tested on Fedora 17 through Fedora 19 hosts and has created containers for F11, F12, F13, F14, F16, F17, F18, and F19. F15 failed for rpm dependency issues that are not worth fixing (IMHO). Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -- Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by:
-
Dwight Engen authored
I noticed that if find_first_wholeword() is called with word at the very beginning of p, we will deref *(p - 1) to see if it is a word boundary. Fix by considering p = p0 to be a word boundary. Signed-off-by:
-
- 09 Jul, 2013 1 commit
-
-
Stéphane Graber authored
Just add an extra white line to both templates. Signed-off-by:
-
- 08 Jul, 2013 5 commits
-
-
Stéphane Graber authored
The new openssh uses a different mechanism to start/stop the daemon which in turn requires a few tweaks in our template to deal with both the new and old ways of doing that. Signed-off-by:
-
Stéphane Graber authored
The introduction of the new console() python API broke lxc-start-ephemeral's console(tty=1) call, I now changed that to console() which does the right thing with both API versions. This also adds a new storage-type option, letting the user choose to use a standard directory instead of tmpfs for the container (but still have it ephemeral). Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
It turns out that most API users want some kind of timeout option for get_ips, so instead of re-implementing it in every single client software, let's just have it as a python overlay upstream. Signed-off-by: -
Dwight Engen authored
Commit a0a2066d introduced an lxc subdir into the lxc-init path, but this was never reflected in the sshd template. Add it there. Don't have ssh-keygen ask for passphrase since host keys are not supposed to use them. Don't try to symlink kmsg since /dev is bind mounted readonly. Read-only bind mount some extra /etc directories, and sysfs which are needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc. Find sshd in more places by adding some common paths to $PATH, and use the found path to it instead of hardcoded /usr/sbin. Check for ifconfig command, and print out container's IP address. Signed-off-by:
-
- 03 Jul, 2013 1 commit
-
-
Bogdan Purcareata authored
Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Signed-off-by:
-
- 01 Jul, 2013 3 commits
-
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
commit 829dd918 added parsing of a -c argument to both the common options handling and to lxc-start. It is not a common option, and should have only been added to lxc-start. Because the common code is processing it, no other command can use -c. Remove -c from being processed by the common code. Tested that -c still works with lxc-start. Signed-off-by:
-
Serge Hallyn authored
unlikely as a failure may be... Signed-off-by:
-
- 28 Jun, 2013 1 commit
-
-
Natanael Copa authored
Use sed to set the specified alpine release in the copied /etc/apk/repositories Signed-off-by:
Natanael Copa <ncopa@alpinelinux.org> Signed-off-by:
-
- 27 Jun, 2013 1 commit
-
-
Kaarle Ritvanen authored
Signed-off-by:
Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> Signed-off-by:
-
