Commits · ec8449f8dcf3bdffd9600a6152aa067521e01baa · Chen Yisong / lxc

13 Aug, 2015 9 commits

c/r: get rid of dump_net_info() · ec8449f8

authored Aug 10, 2015

This was originally used to propagate the bridge and veth names across
hosts, but now we extract both from the container's config file, and
nothing reads the files that dump_net_info() writes, so let's just get rid
of them.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ec8449f8

c/r: allow empty networks to be checkpointed/restored · 65b20221

authored Aug 10, 2015

Empty networks don't have anything (besides lo) for us to dump and restore,
so we should allow these as well.
Reported-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

65b20221

gitignore: add TAGS files · 0efc06e7

authored Aug 10, 2015

Somehow our `make tags` target generates TAGS and not tags, so let's ignore
that too.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

0efc06e7

lxc_monitor: free @preg on error · 17706a46

authored Jul 12, 2015

reuse label cleanup since free(NULL) is a no-op
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

17706a46

pass on reboot flag and delete old veth on reboot · 8bee8851

authored Jul 27, 2015

When setting lxc.network.veth.pair to get a fixed interface
name the recreation of it after a reboot caused an EEXIST.
-) The reboot flag is now a three-state value. It's set to
1 to request a reboot, and 2 during a reboot until after
lxc_spawn where it is reset to 0.
-) If the reboot is set (!= 0) within instantiate_veth and
a fixed name is used, the interface is now deleted before
being recreated.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

8bee8851

Prevent from error on umount /proc if userns are used. · 8bea9fae
Przemek Rudy authored Jul 29, 2015
```
Signed-off-by: Przemek Rudy <prudy1@o2.pl>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
```
8bea9fae
Merge pull request #623 from christiaan/ephemeral_bind · 1f466bbb
Stéphane Graber authored Aug 13, 2015
```
Bind mount at different location
```
1f466bbb
Merge pull request #619 from alkino/contributing · 96fbe9e0
Stéphane Graber authored Aug 13, 2015
```
Fresh CONTRIBUTING
```
96fbe9e0
Merge pull request #577 from CameronNemo/systemd-instanced · f2a7f2a0
Stéphane Graber authored Aug 13, 2015
```
Add instanced systemd service
```
f2a7f2a0

07 Aug, 2015 1 commit

Bind mount at different location · 710035fd

authored Aug 07, 2015

Binding a directory at a different location in a ephemeral container is
currently not possible. Using a regular container it however is possible.
Signed-off-by: Christiaan Baartse <anotherhero@gmail.com>

710035fd

05 Aug, 2015 5 commits

Fresh CONTRIBUTING · 99777255
Nicolas Cornu authored Aug 05, 2015
```
Signed-off-by: Nicolas Cornu <nicolac76@yahoo.fr>
```
99777255
Merge pull request #615 from jirislaby/master · f20b99d3
Stéphane Graber authored Aug 05, 2015
```
templates: lxc-opensuse, use rpm to determine build version
```
f20b99d3
Merge pull request #614 from alkino/master · 061ed04e
Stéphane Graber authored Aug 05, 2015
```
Fix error message when cannot find an lxc-init
```
061ed04e

templates: lxc-opensuse, use rpm to determine build version · fe89217a

authored Aug 05, 2015

zypper info's output is not usable for several reasons:
* it is localized -- there is no "Version: " in my output
* it shows results both from the repo and local system

So use plain rpm to determine whether build is installed and if proper
version is in place.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

fe89217a

Fix error message when cannot find an lxc-init · 1e1d1dca

authored Aug 05, 2015

lxc-init has been renamed init.lxc so adapt error message
Signed-off-by: Nicolas Cornu <ncornu@aldebaran.com>

1e1d1dca

04 Aug, 2015 6 commits
- lxc-alpine: fix verification of apk.static binary · e00f9e4e
  Natanael Copa authored Aug 03, 2015
```
We need specify which hashing algorithm was used to create the signature
we check.

Fixes #609
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
```
  e00f9e4e
- Merge pull request #612 from brauner/lxc_rename · 2cfae585
  Stéphane Graber authored Aug 04, 2015
```
Add option to rename container to lxc-clone
```
  2cfae585
- Merge pull request #613 from ysbnim/master · b076d08b
  Stéphane Graber authored Aug 04, 2015
```
Update Korean manuals
```
  b076d08b
- doc: Add the description for --version to Korean common_options · 2aeb28ec
  Sungbae Yoo authored Aug 04, 2015
```
Update for commit 7cab33b1Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
```
  2aeb28ec
- doc: Add the description for -P and --version to Korean lxc-ls(1) · 347597fa
  Sungbae Yoo authored Aug 04, 2015
```
Update for commit 2cf7c05aSigned-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
```
  347597fa
- doc: Update Korean lxc-usernet(5) for supporting usergroups · 996d7770
  Sungbae Yoo authored Jul 02, 2015
```
Update for commit 1940bff4Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
```
  996d7770
03 Aug, 2015 6 commits
- Add option to rename container to lxc-clone · ef44c2f6
  Christian Brauner authored Aug 03, 2015
```
This commit adds an -R, --rename option to lxc-clone to rename a container. As
c->rename calls do_lxcapi_rename() which in turn calls do_lxcapi_clone() it
seemed best to implement it in lxc-clone rather than lxc-snapshot which also
calls do_lxcapi_clone(). Some additional unification regarding the usage of
return vs exit() in main() was done.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
```
  ef44c2f6
- Merge pull request #610 from tenforward/update_man · bfec108c
  Stéphane Graber authored Aug 03, 2015
```
Update man pages
```
  bfec108c
- doc: Remove unnecessary common options from lxc-user-nic(1) · 7b4a6f97
  KATOH Yasufumi authored Aug 03, 2015
```
lxc-user-nic command cannot use common options.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
```
  7b4a6f97
- doc: Add the description for --version to English and Japanese common_options · 7cab33b1
  KATOH Yasufumi authored Aug 03, 2015
```
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
```
  7cab33b1
- doc: Add the description for -P and --version to English and Japanese lxc-ls(1) · 2cf7c05a
  KATOH Yasufumi authored Aug 03, 2015
```
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
```
  2cf7c05a
- Merge pull request #608 from brauner/lxc_ls_doc · ee5aee22
  Stéphane Graber authored Aug 03, 2015
```
Add -P lxcpath and --version to lxc-ls manpage
```
  ee5aee22
01 Aug, 2015 1 commit

Add -P lxcpath and --version to lxc-ls manpage · a4cd509b

authored Aug 01, 2015

lxc-ls takes -P lxcpath and --version as arguments but it did not specify these
options on the manpages.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>

a4cd509b

29 Jul, 2015 1 commit
- Merge pull request #600 from Blub/wbumiller/seccomp · e88ba17e
  Serge Hallyn authored Jul 28, 2015
```
seccomp: simplify and fix rule parsing
```
  e88ba17e
23 Jul, 2015 1 commit

seccomp: simplify and fix rule parsing · d6417887

authored Jul 23, 2015

1) Two checks on amd64 for whether compat_ctx has already
been generated were redundant, as compat_ctx is generally
generated before entering the parsing loop.

2) With introduction of reject_force_umount the check for
whether the syscall has the same id on both native and
compat archs results in false behavior as this is an
internal keyword and thus produces a -1 on
seccomp_syscall_resolve_name_arch().
The result was that it was added to the native architecture
twice and never to the 32 bit architecture, causing it to
have no effect on 32 bit containers on 64 bit hosts.

3) I do not see a reason to care about whether the syscalls
have the same number on the two architectures. On the one
hand this check was there to avoid adding it to two archs
(and effectively leaving one arch unprotected), while on
the other hand it seemed to be okay to add it to the
same arch *twice*.

The entire architecture checking branches are now reduced to
three simple cases: 'native', 'non-native' and 'all'. With
'all' adding to both architectures regardless of the syscall
ID.

Also note that libseccomp had a bug in its architecture
checking, so architecture related filters weren't working as
expected before version 2.2.2, which may have contributed to
the confusion in the original architecture-related code.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

d6417887

22 Jul, 2015 3 commits

Fix Android build due to missing constant · f5fd66f7
Stéphane Graber authored Jul 22, 2015
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
f5fd66f7

CVE-2015-1334: Don't use the container's /proc during attach · 5c3fcae7

authored Jul 16, 2015

A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.

Reported-by: Roman Fiedler
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

5c3fcae7

CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc · 72cf81f6

authored Jul 03, 2015

This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

72cf81f6

21 Jul, 2015 2 commits

Merge pull request #597 from smoser/ubuntu-cloud-vendordata · f52c0d26
Stéphane Graber authored Jul 21, 2015
```
lxc-ubuntu-cloud: support passing vendor-data
```
f52c0d26

lxc-ubuntu-cloud: support passing vendor-data · 5d066f24

authored Jul 21, 2015

vendor-data is supported in Ubuntu cloud images in trusty and later.
This allows the user to pass it in on create or clone.
Signed-off-by: Scott Moser <smoser@ubuntu.com>

5d066f24

20 Jul, 2015 1 commit
- Merge pull request #581 from Blub/master · b9efb0c9
  Stéphane Graber authored Jul 19, 2015
```
Use /dev/loop-control if it exists
```
  b9efb0c9
19 Jul, 2015 4 commits

lxc-fedora: Default to 22 but use 20 squashfs · f71e8f41

authored Jul 18, 2015

The Fedora 22 squashfs doesn't appear to work, the Fedora 21 isn't
available, so lets use the fedora archive mirror and pull the good old
Fedora 20 squashfs.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

f71e8f41

Default to Fedora 21 as 22 no longer uses yum · c28d2f44
Stéphane Graber authored Jul 18, 2015
```
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
c28d2f44

Fix fedora some more · b65c5374

authored Jul 18, 2015

Apparently the paths have changed on the rsync server.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

b65c5374

Fedora 20 no longer exists on the mirrors · 29be874c
Stéphane Graber authored Jul 18, 2015
```
Switch to Fedora 22 for now.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
```
29be874c