- 13 Feb, 2014 17 commits
-
-
Stéphane Graber authored
Fix clang breakage. This reverts commit 7cd32872.
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
Stéphane Graber <stgraber@ubuntu.com>
-
S.Çağlar Onur authored
Signed-off-by:
-
Dwight Engen authored
The kernel's Documentation/devices.txt says that these symlinks should exist in /dev (they are listed in the "Compulsory" section). I'm not currently adding nfsd and X0R since they are required for iBCS, but they can be easily added to the array later if need be. Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
Michael H. Warfield <mhw@WittsEnd.com> Acked-by:
-
Stéphane Graber authored
This update will make it work unprivileged as well as testing a few of the new functions. Signed-off-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
With this change, systems that support it will use attach to run any provided command. This doesn't change the default behaviour of attaching to tty1, but it does make it much easier to script or even get a quick shell with: lxc-start-ephemeral -o p1 -n p2 -- /bin/bash I'm doing the setgid,initgroups,setuid,setenv magic in python rather than using the attach_wait parameters as I need access to the pwd module in the target namespace to grab the required information. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
This adds support for: - memory (total memory) - ram - swap Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
We used to do chdir(path), chroot(path). That's correct but not properly handled coverity, so do chroot(path), chdir("/") instead as that's the recommended way. Signed-off-by: -
KATOH Yasufumi authored
- Update Japanese man for commit a7c27357, seccomp v2 - Fix typo in English man Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
KATOH Yasufumi authored
Update lxc-clone(1) and lxc-snapshot(1) for commit 1f92162d and improve some translations Signed-off-by:
-
Serge Hallyn authored
This allows lxc-snapshot and lxc-clone -s from an overlayfs container to work unprivileged. (lxc-clone -s from a directory backed container already did work) Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Signed-off-by:
-
- 12 Feb, 2014 18 commits
-
-
Serge Hallyn authored
Also don't use arm arch if not defined This *should* fix build so precise, but I didn't fire one off. I did test that builds with libseccomp2 still work as expected. Signed-off-by:
-
Stéphane Graber authored
- Run on distro without lsb_release - Don't try and interpret with_runtime_path as a command - Don't print stuff on screen while in the middle of a check Signed-off-by: -
Stéphane Graber authored
Now that we depend on seccomp2, the backport currently in precise is too old to allow for a succesful build, so instead use ppa:ubuntu-lxc/daily which contains recent versions of all needed build-dependencies. Signed-off-by: -
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
v2 allows specifying system calls by name, and specifying architecture. A policy looks like: 2 whitelist open read write close mount [x86] open read Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31) - which confusingly returns 'EMLINK' on x86_64. Note this change is also done for v1 as I think it is worthwhile. With this patch, I can in fact use a seccomp policy like: 2 blacklist mknod errno 0 after which 'sudo mknod null c 1 3' silently succeeds without creating the null device. changelog v2: add blacklist support support default action support per-rule action Signed-off-by:
-
Stéphane Graber authored
This is pretty much copy/paste from overlayfs. Signed-off-by:
-
Stéphane Graber authored
Travis has now corrected the bug in their build environment so we no longer need to force the autogen script through bash. Signed-off-by: -
Stéphane Graber authored
This allows running lxc-start-ephemeral using overlayfs. aufs remains blocked as it hasn't been looked at and patched to work in the kernel at this point (not sure if it ever wil). Signed-off-by:
-
Serge Hallyn authored
The previous check for access to rootfs->path failed in the case of overlayfs or loop backign stores. Instead just check early on for access to lxcpath. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
If on Ubuntu, then match the host's own architecture, this should allow for our tests to pass on the armhf CI environment. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 11 Feb, 2014 5 commits
-
-
Serge Hallyn authored
Also make sure to chown the new rootfs path to the container owner. This is how we make sure that the container root is allowed to write under delta0. Signed-off-by:
-
Stéphane Graber authored
This allows older distros to override /run with whatever their own path is, mostly useful for old RedHat and possibly Android. Reported-by:
Robert Vogelgesang <vogel@users.sourceforge.net> Signed-off-by:
-
Stéphane Graber authored
Reported-by:
-
Serge Hallyn authored
Instead force a copy clone. Else if the user makes a change to the original container, the snapshot will be affected. The user should first create a snapshot clone, then use and snapshot that clone while leaving the original container untouched. Signed-off-by:
-
Serge Hallyn authored
With this patch, if an unprivileged user has $HOME 700 or 750 and does lxc-start -n c1 he'll see an error like: lxc_container: Permission denied - could not access /home/serge. Please grant it 'x' access, or add an ACL for t he container root. (This addresses bug pad.lv/1277466) Signed-off-by:
-
