Skip to content

L
lxc
Switch branch/tag
  1. 21 Sep, 2015 5 commits
    • Add a nesting.conf which can be included to support nesting containers (v2) · d8b1be98
      Serge Hallyn authored 
      Newer kernels have added a new restriction:  if /proc or /sys on the
host has files or non-empty directories which are over-mounted, and
there is no /proc which fully visible, then it assumes there is a
"security" reason for this.  It prevents anyone in a non-initial user
namespace from creating a new proc or sysfs mount.

To work around this, this patch adds a new 'nesting.conf' which can be
lxc.include'd from a container configuration file.  It adds a
non-overmounted mount of /proc and /sys under /dev/.lxc, so that the
kernel can see that we're not trying to *hide* things like /proc/uptime.
and /sys/devices/virtual/net.  If the host adds this to the config file
for container w1, then container w1 will support unprivileged child
containers.

The nesting.conf file also sets the apparmor profile to the with-nesting
variant, since that is required anyway.  This actually means that
supporting nesting isn't really more work than it used to be, just
different.  Instead of adding

lxc.aa_profile = lxc-container-default-with-nesting

you now just need to

lxc.include = /usr/share/lxc/config/nesting.conf

(Look, fewer characters :)

Finally, in order to maintain the current apparmor protections on
proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable.
We don't need to be able to use them, we're just showing the
kernel what's what.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • doc: Add LXC-specific mount option in Japanese lxc.container.conf(5) · 6fd8be16
      KATOH Yasufumi authored 
      Add the description of optional, create=file/dir for lxc.mount.entry.
This is update for commit f5b67b36.
Signed-off-by: 's avatarKATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • coverity: fix mount_entry_create_dir_file · e3a1984d
      Serge Hallyn authored 
      First, fix use of uninitialized variable 'ret'.  Then, actually use
the value it returned in its caller.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • Tear down network devices during container halt · 1f9ddb78
      Major Hayden authored 
      On very busy systems, some virtual network devices won't be destroyed after a
container halts.  This patch uses the lxc_delete_network() method to ensure
that network devices attached to the container are destroyed when the
container halts.

Without the patch, some virtual network devices are left over on the system
and must be removed with `ip link del <device>`.  This caused containers
with lxc.network.veth.pair to not be able to start.  For containers using
randomly generated virtual network device names, the old devices will hang
around on the bridge with their original MAC address.
Signed-off-by: 's avatarMajor Hayden <major@mhtx.net>
    • doc: Add the description of common options in lxc-destroy(1) · 3eafa2f7
      KATOH Yasufumi authored 
      * Remove '-P' option, and common options (including '-P' option)
* Add long option for '-f'
* Improve Japanese translation
Signed-off-by: 's avatarKATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
  3. 28 Aug, 2015 2 commits
  5. 27 Aug, 2015 19 commits
  7. 21 Aug, 2015 1 commit
  9. 14 Aug, 2015 2 commits
  11. 13 Aug, 2015 11 commits