Skip to content

L
lxc
Switch branch/tag
  1. 18 Jun, 2017 22 commits
  3. 16 Jun, 2017 1 commit
  5. 15 Jun, 2017 1 commit
    • tree-wide: priority -> level · 4b73005c
      Christian Brauner authored 
      When we merged the new logging function for the api we exposed the log level
argument in the struct as "priority" which we actually requested to be changed
to "level" which somehow didn't happen and we missed it. Given the fact there
has been no new liblxc release let's fix it right now before it hits users.
Also, take the chance to change the terminology in the log from "priority" to
"level" globally. This is to prevent confusion with syslog's "priority"
argument which we also support.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
  7. 13 Jun, 2017 7 commits
    • Merge pull request #1618 from brauner/2017-06-06/kill_lxc_monitord · 74f04141
      Serge Hallyn authored 
      start: kill lxc-monitord
    • tests: don't fail when no processes for user exist · d0ab6d91
      Christian Brauner authored 
      Since we kicked lxc-monitord there will very likely be no user processes around
anymore after all container's have been stopped. Which is a very very very good
thing. So let's not error out when pkill doesn't find any processes.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • conf: fix wrong path on overlayfs · bbdbf8f0
      Christian Brauner authored 
      Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • lxccontainer: cleanup + bugfixes · c47eafec
      Christian Brauner authored 
      Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • {start,lxccontainer}: add lxc_free_handler() · f2e07cb6
      Christian Brauner authored 
      Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • commands: add lxc_cmd_state_server() · dbc9832d
      Christian Brauner authored 
      A LXC container's lifecycle is regulated by the states STARTING, RUNNING,
STOPPING, STOPPED, ABORTING. These states are tracked in the LXC handler and
can be checked via approriate functions in the command socket callback system.
(The freezer stages are not part of a container's lifecycle since they are not
recorded in the LXC handler. This might change in the future but given that the
freezer controller will be removed from future cgroup implementations it is
unlikely.) So far, LXC was using an external helper to track the states of a
container (lxc-monitord). This solution was error prone. For example, the
external state server would hang in various scenarios that seemed to be caused
by either very subtle internal races or irritation of the external state server
by signals.

LXC will switch from an external state monitor (lxc-monitord) which serves as a
state server for state clients to a native implementation using the indiviual
container's command socket. This solution was discussed and outlined by Stéphane
Graber and Christian Brauner during a LX{C,D} sprint.

The LXC handler will gain an additional field to track state clients. In order
for a state client to receive state notifications from the command server he
will need to register himself via the lxc_cmd_state_server() function in the
state client list. The state client list will be served by lxc_set_state()
during the container's lifecycle. lxc_set_state() will also take care of
removing any clients from the state list in the LXC handler once the requested
state has been reached and sent to the client.
In order to prevent races between adding and serving new state clients the state
client list and the state field in the LXC handler will be protected by a lock.

This commit effectively deprecates lxc-monitord. Instead of serving states to
state clients via the lxc-monitord fifo and socket we will now send the state
of the container via the container's command socket.
lxc-monitord is still useable and will - for the sake of the lxc-monitor
command - be kept around so that non-API state clients can still monitor the
container during it's lifecycle.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • Merge pull request #1621 from leitao/master · 46d9789c
      Stéphane Graber authored 
      lxc-alpine: Add support for ppc64le
  9. 12 Jun, 2017 5 commits
  11. 06 Jun, 2017 4 commits
    • Merge pull request #1588 from brauner/2017-05-26/update_opensuse_template · ddfb7c77
      Stéphane Graber authored 
      lxc-opensuse: add Tumbleweed as supported release
    • Merge pull request #1578 from 0x0916/export-seccomp-filter-to-log · ab373bdf
      Christian Brauner authored 
      seccomp: export the seccomp filter after load it into kernel successful
    • API: expose function lxc_log_init · 73b910a3
      0x0916 authored 
      Signed-off-by: 's avatar0x0916 <w@laoqinren.net>
    • seccomp: export the seccomp filter after load it into kernel successful · 5107af32
      0x0916 authored 
      when the log level is TRACE, this patch export the seccomp
filter to log file.

the ouput of `seccomp_export_pfc()` is human readable and this feature
is useful for user to make sure their `seccomp configuration file` is
right.

Output for he default ubuntu container's seccomp filter is the
following:

```
      lxc-start ubuntu 20170520024159.412 INFO     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-cgns
if ($arch == 3221225534)
  # filter for syscall "finit_module" (313) [priority: 65535]
  if ($syscall == 313)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (304) [priority: 65535]
  if ($syscall == 304)
    action ERRNO(1);
  # filter for syscall "kexec_load" (246) [priority: 65535]
  if ($syscall == 246)
    action ERRNO(1);
  # filter for syscall "delete_module" (176) [priority: 65535]
  if ($syscall == 176)
    action ERRNO(1);
  # filter for syscall "init_module" (175) [priority: 65535]
  if ($syscall == 175)
    action ERRNO(1);
  # filter for syscall "umount2" (166) [priority: 65533]
  if ($syscall == 166)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0x00000001 == 1)
        action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 1073741827)
  # filter for syscall "finit_module" (350) [priority: 65535]
  if ($syscall == 350)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (342) [priority: 65535]
  if ($syscall == 342)
    action ERRNO(1);
  # filter for syscall "kexec_load" (283) [priority: 65535]
  if ($syscall == 283)
    action ERRNO(1);
  # filter for syscall "delete_module" (129) [priority: 65535]
  if ($syscall == 129)
    action ERRNO(1);
  # filter for syscall "init_module" (128) [priority: 65535]
  if ($syscall == 128)
    action ERRNO(1);
  # filter for syscall "umount2" (52) [priority: 65534]
  if ($syscall == 52)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
if ($arch == 3221225534)
  # filter for syscall "kexec_load" (1073742352) [priority: 65535]
  if ($syscall == 1073742352)
    action ERRNO(1);
  # filter for syscall "finit_module" (1073742137) [priority: 65535]
  if ($syscall == 1073742137)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
  if ($syscall == 1073742128)
    action ERRNO(1);
  # filter for syscall "delete_module" (1073742000) [priority: 65535]
  if ($syscall == 1073742000)
    action ERRNO(1);
  # filter for syscall "init_module" (1073741999) [priority: 65535]
  if ($syscall == 1073741999)
    action ERRNO(1);
  # filter for syscall "umount2" (1073741990) [priority: 65534]
  if ($syscall == 1073741990)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
action KILL;
      lxc-start ubuntu 20170520024159.412 NOTICE   lxc_start - start.c:start:1470 - Exec'ing "/sbin/init".
```
Signed-off-by: 's avatar0x0916 <w@laoqinren.net>