- 22 Aug, 2014 5 commits
-
-
Serge Hallyn authored
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs and running setuid-root applications to get write access to u1's container rootfs. v2: set umask to 002 for the mkdir. Otherwise if umask happens to be, say, 022, then user does not have write permissions under the container dir and creation of $containerdir/partial file will fail. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
When we read a lxc.network.hwaddr line, if it contained any 'x's then those get quitely filled in at config_network_hwaddr. If that happens then we want to save the autogenerated hwaddr in the unexpanded config so that when we write it to disk, it is saved. This patch dumbly re-generates the network configuration in the unexp configuration every time we load a config file, just as we do after every clone. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
S.Çağlar Onur authored
Unprivileged users require "-o user_subvol_rm_allowed" mount option for btrfs. Make the INFO level message to ERROR to make it clear, which now says following; [caglar@qop:~] lxc-destroy -n rubik lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed? lxc_container: Error destroying rootfs for rubik Destroying rubik failed Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
If we didn't find newuidmap, then simply require the caller to be root and write to /proc/self/uidmap manually. Checking for newgidmap to exist is bogus. Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
-
- 19 Aug, 2014 1 commit
-
-
TAMUKI Shoichi authored
- If "installpkg" command does not exist, lxc-plamo temporarily install the command with static linked tar command into the lxc cache directory. The tar command does not refer to passwd/group files, which means that only a few files/directories are extracted with wrong user/group ownership. To avoid this, the installpkg command now uses the standard tar command in the system. - Change mode to 666 for $rootfs/dev/null to allow write access for all users. - Small fix in usage message. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
Stéphane Graber <stgraber@ubuntu.com> Acked-by:
KATOH Yasufumi <karma@jazz.email.ne.jp>
-
- 18 Aug, 2014 5 commits
-
-
KATOH Yasufumi authored
Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Stéphane Graber authored
This should avoid tests failure when the machine running the tests has either very slow disks or a lot of data waiting to be flushed. Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
See http://lkml.org/lkml/2014/8/13/746 and its history. The kernel now refuses mounts if we don't add ro,nosuid,nodev,noexec flags if they were already there. Also use the newly found info to skip remount if unneeded. For background, if you want to create a read-only bind mount, then you must first mount(2) with MS_BIND to create the bind mount, then re-mount(2) again to get the new mount options to apply. So if this wasn't a bind mount, or no new mount options were introduced, then we don't do the second mount(2). null_endofword() and get_field() were not changed, only moved up in the file. (Note, while I can start containers inside a privileged container with this patch, most of the lxc tests still fail with the kernel in question; Andy's patch seems to still be needed - a kernel with which is available at https://launchpad.net/~serge-hallyn/+archive/ubuntu/userns-natty ppa:serge-hallyn/userns-natty) Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
A long enough lxcpath (and small PATH_MAX through crappy defines) can cause the creation of the string to be hashed to fail. So just use alloca to get the size string we need. More importantly, while I can't explain it, if lxcpath is too long, setting sockname[sizeof(addr->sun_path)-2] to \0 simply doesn't seem to work. So set sockname[sizeof(addr->sun_path)-3] to \0, which does work. With this, and with lxc.lxcpath = /opt/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789/lxc0123456789 in /etc/lxc/lxc.conf, I can run lxc-wait just fine. Without it, it fails (as does lxc-start -d, which uses lxc_wait to verify the container started) Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
The container command socket is an abstract unix socket containing the lxcpath and container name. Those can be too long. In that case, use the hash of the lxcpath and lxcname. Continue to use the path and name if possible to avoid any back compat issues. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 16 Aug, 2014 14 commits
-
-
Stéphane Graber authored
This commit broke the testsuite for unprivileged containers as the container directory is now 0750 with the owner being the container root and the group being the user's group, meaning that the parent user can only enter the directory, not create entries in there. This reverts commit c86da6a3.
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Micahel J. Evans authored
This is an hybrid between Micahel's original patch and me making the new debugging statements look like our existing ones. Signed-off-by:
"Micahel J. Evans" <mjevans1983@gmail.com> Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Denis Pynkin authored
- Added predefined package list if /etc/lxc/profiles/default is absent. - Fixed syntax mistake in options list. Signed-off-by:
Denis Pynkin <dans@altlinux.ru> Acked-by:
Stéphne Graber <stgraber@ubuntu.com>
-
Lars Wikberg authored
Signed-off-by:
Lars Wikberg <lars.wikberg@anvia.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Jean-Tiare LE BIGOT authored
Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Jean-Tiare LE BIGOT authored
When "lxc.autodev = 1", LXC creates automatically a "/dev/.lxc/<name>.<hash>" folder to put container's devices in so that they are visible from both the host and the container itself. On container exit (ne it normal or not), this folder was not cleaned which made "/dev" folder grow continuously. We fix this by adding a new `int lxc_delete_autodev(struct lxc_handler *handler)` called from `static void lxc_fini(const char *name, struct lxc_handler *handler)`. Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs and running setuid-root applications to get write access to u1's container rootfs. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Dwight Engen <dwight.engen@oracle.com>
-
Serge Hallyn authored
(Thanks, Dwight, this one look right?) Make sure we reap our child at cgm_{s,g}et. Changelog: Fix change in behavior on empty read from the do_cgm_get() helper that was spotted by Dwight. Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Dwight Engen <dwight.engen@oracle.com>
-
S.Çağlar Onur authored
Raspberry Pi kernel finally supports all the bits required by LXC [1] This patch makes "./configure --with-distro=raspbian" to install lxcbr0 based config file and upstart jobs. Also src/lxc/lxc.net now checks the existence of the lxc-dnsmasq user (and fallbacks to dnsmasq) RPI users still need to pass "MIRROR=http://archive.raspbian.org/raspbian/" parameter to lxc-create to pick the correct packages MIRROR=http://archive.raspbian.org/raspbian/ lxc-create -t debian -n rpi [Could be applied to stable-1.0 if you cherry-pick 7157a508ba3015b830877a5e4d6ca9debb3fd064] [1] https://github.com/raspberrypi/linux/issues/176Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
This would have caught a regression in Ubuntu's 3.16 kernel. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
We were allocating sizeof(tree) instead of sizeof(*tree). Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
Actually, get rid of the temporary variables, and set newname and lxcpath to usable values if they were NULL. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
KATOH Yasufumi authored
Update for commit 96f15ca1Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 15 Aug, 2014 1 commit
-
-
Stéphane Graber authored
Before calling btrfs and playing with subvolumes, let's make sure the btrfs command is available. Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 08 Aug, 2014 11 commits
-
-
Serge Hallyn authored
This is for the master branch, to fix a memleak on conf free. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Jean-Tiare LE BIGOT authored
When `lxc.autodev = 0` and empty tmpfs is mounted on /dev and private pts are requested, we need to ensure '/dev/pts' exists before attempting to mount devpts on it. Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Vincent Giersch authored
Signed-off-by:
Vincent Giersch <vincent.giersch@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Vincent Giersch authored
Especially when using the Python API, the child process inherits of the file descriptiors of the script. Signed-off-by:
Vincent Giersch <vincent.giersch@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Jean-Tiare LE BIGOT authored
Signed-off-by:
Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
rabisg authored
Signed-off-by:
Rabi Shanker Guha <guha.rabishankar@gmail.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Kalman Olah authored
With the current old CentOS template, dnsmasq was not able to resolve the hostname of an lxc container after it had been created. This minor change rectifies that. Signed-off-by:
Kalman Olah <hello@kalmanolah.net> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Nikolay Martynov authored
Send container's hostname to dhcp server when getting ip address. Signed-off-by:
Nikolay Martynov <mar.kolya@gmail.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Michael Werner authored
Signed-off-by:
Michael Werner <xaseron@googlemail.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
They don't work right now, so until we fix that, don't allow it. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
/dev/shm must be turned from a directory into a symlink to /run/shm. The templates do this only if they find -d $rootfs/run/shm. Since /run will be a tmpfs, checking for it in the rootfs is silly. It also is currently broken as ubuntu cloud images have an empty /run. (this should fix https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1353734) Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 06 Aug, 2014 1 commit
-
-
Serge Hallyn authored
v2: add get_config_item clear_config_item is not supported, as it isn't for lxc.console, bc you can do 'lxc.console.logfile =' to clear it. Likewise save_config is not needed because the config is now just written through the unexpanded char*. Signed-off-by:
Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
- 04 Aug, 2014 2 commits
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Serge Hallyn authored
Originally, we only kept a struct lxc_conf representing the current container configuration. This was insufficient because lxc.include's were expanded, so a clone or a snapshot would contain the expanded include file contents, rather than the original "lxc.include". If the host's include files are updated, clones and snapshots would not inherit those updates. To address this, we originally added a lxc_unexp_conf, which mirrored the lxc_conf, except that lxc.include was not expanded. This has its own cshortcomings, however, In particular, if a lxc.include has a lxc.cgroup setting, and you use the api to say: c.clear_config_item("lxc.cgroup") this is not representable in the lxc_unexp_conf. (The original problem, which was pointed out to me by stgraber, was slightly different, but unlike this problem it was not unsolvable). This patch changes the unexpanded configuration to be a textual representation of the configuration. This allows us *order* the configuration commands, which is what was not possible using the struct lxc_conf *lxc_unexp_conf. The write_config() now becomes a simple fwrite. However, lxc_clone is slightly complicated in parts, the worst of which is the need to rewrite the network configuration if we are changing the macaddrs. With this patch, lxc-clone and clear_config_item do the right thing. lxc-test-saveconfig and lxc-test-clonetest both pass. There is room for improvement - multiple calls to c.append_config_item("lxc.network.link", "lxcbr0") will result in multiple such lines in the configuration file. In that particular case it is harmless. There may be cases where it is not. Overall, this should be a huge improvement in terms of correctness. Changelog: Aug 1: updated to current lxc git head. All lxc-test* and python api test passed. Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-