- 05 Sep, 2017 5 commits
-
-
Christian Brauner authored
Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
We allocate pty {master,slave} file descriptors in the childs namespaces after we have setup devpts. After we have sent the pty file descriptors to the parent and set up the pty file descriptors under /dev/tty* and before we exec the init binary we need to delete these file descriptors in the child. However, one of my commits made the deletion occur before setting up the file descriptors under /dev/tty*. This caused a failures when trying to attach to the container's ttys since they werent actually configured although the file descriptors were available in the in-memory configuration of the parent. This commit reworks setting up tty such that deletion occurs after all setup has been performed. The commit is actually minimal but needs to also move all the functions into one place since they well now be called from "lxc_create_ttys()". Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Stéphane Graber authored
conf: record idmap that gets written
-
Christian Brauner authored
This will serve us well in the future! Signed-off-by:
-
- 04 Sep, 2017 9 commits
-
-
Stéphane Graber authored
start: document all handler fields
-
Christian Brauner authored
Signed-off-by: -
Stéphane Graber authored
criu: add cmp_version()
-
Federico Briata authored
We cannot use strcmp(). Otherwise we incorrectly report e.g. that criu 2.12.1 is less than 2.8. Signed-off-by:
Federico Briata <federico-pietro.briata@cnhind.com> Signed-off-by:
-
Stéphane Graber authored
console: non-functional change
-
Stéphane Graber authored
conf: don't send ttys when none are configured
-
Christian Brauner authored
It is bad style to close an fd inside a function which didn't create it. Let's rather close it transparently in start.c. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Serge Hallyn authored
network: improvements + bugfixes
-
- 03 Sep, 2017 9 commits
-
-
Christian Brauner authored
Writes < PIPE_BUF will be atomic. PIPE_BUF is guaranteed to be 512 by POSIX and Linux guarantess 4096. Nothing we send around goes over this limit. Signed-off-by: -
Christian Brauner authored
I thought we could send all ttys at once but this limits the number of ttys users can use because of iovec_len restrictions. So let's sent them in batches of 2. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
lxc_mkifname() really doesn't need to allocate any memory. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Also move all functions to network.{c,h}. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Since find_line() was changed before count_entries() started counting lines wrong. It would report maximum reached before you actually reached your alloted maximum. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
-
- 02 Sep, 2017 2 commits
-
-
Christian Brauner authored
Assume the db contained the following entries: chb veth lxcbr0 veth1 chb veth lxcbr0 veth2 chb veth lxdbr0 veth3 chb veth lxdbr0 veth2 didi veth lxcbr0 veth4 And you request cull_entries("chb", "veth", "lxdbr0", "veth3"); lxc-user-nic would wipe any entries that did not match irrespective of whether they existed or not. Let's fix that. Signed-off-by: -
Christian Brauner authored
The code before inserted \0-bytes after every new line which made the db basically unusable. Signed-off-by:
-
- 01 Sep, 2017 9 commits
-
-
Christian Brauner authored
We use data_sock for all things we need to send around between parent and child now. It doesn't make sense to have so many different pipes and sockets if one will do just fine. Signed-off-by: -
Dimitri John Ledkov authored
Signed-off-by:
Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by:
-
Dimitri John Ledkov authored
If netplan is present in the container, configure default networking with neplan instead of ifupdown. Also, do not install ifupdown when boostrapping minbase variant, unless using currently support non-netplan releases (trusty, zenial, zesty). Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
liblxc will now correctly log any network device names and ifindeces in their respective network namespaces. So there's no need to record physical network devices any more. This spares us heap allocations and memory we need to have lying around til the container is shutdown. Signed-off-by: -
Christian Brauner authored
On privileged network creation we only retrieved the names and ifindeces of network devices in the host's network namespace. This meant that the monitor process was acting on possibly incorrect information. With this commit we have the child send back the correct device names and ifindeces in the container's network namespace. Signed-off-by: -
Christian Brauner authored
This renames the socketpair() variable "ttysock" to "data_sock" since we will use it to send arbitrary data around, not just ttys anymore. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
All network devices can only be of size < IFNAMSIZ. So let's spare the useless heap allocations and use static memory. Signed-off-by:
-
- 31 Aug, 2017 6 commits
-
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
- check for error on ifindex retrieval - free allocated memory Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
- Retrieve the host's veth device ifindex in the host's network namespace. - Add a note why we retrieve the container's veth device ifindex in the host's network namespace. Signed-off-by: -
Serge Hallyn authored
lxc-user-nic: test privilege over netns on delete
-
Christian Brauner authored
- On unprivileged veth network creation have lxc-user-nic send the names of the veth devices and their respective ifindeces. The advantage of retrieving this information from lxc-user-nic is that we spare us sending around more stuff via the netpipe in start.c. Also, lxc-user-nic operates in both namespaces (the container's namespace and the hosts's namespace) via setns and so is guaranteed to retrieve the correct ifindex via if_nametoindex() which is an network namespace aware ioctl() call. While I'm pretty sure the ifindeces for veth devices are identical across network namespaces I'm weary to rely on this. We need the ifindexes to guarantee safe deletion of unprivileged network devices via lxc-user-nic later on since we use them to identify the network devices in their corresponding network namespaces. - Move the network device logging from the child to the parent. The child does not have all of the information about the network devices available only the few bits it actually needs to now. The monitor process is the only process that needs all this information. - The network creation code for privileged and unprivileged networks was previously mangled into one single function but at the same time some of the privileged code had additional functions that were called in other places in start.c. Let's divide and conquer and split out the privileged and unprivileged network creation into completely separate functions. This makes what's happening way more clear. This will also have no performance impact since either you are privileged and only execute the privileged network creation functions or you are unprivileged and only execute the unprivileged network creation functions. Signed-off-by:
-
