- 09 Oct, 2014 2 commits
-
-
Serge Hallyn authored
Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
Signed-off-by:
-
- 08 Oct, 2014 8 commits
-
-
Dwight Engen authored
- RHEL/OL 7 doesn't have the ifconfig command by default so have the lxc-net script check for its existence before use, and fall back to using the ip command if ifconfig is not available - When lxc-net is run from systemd on a system with selinux enabled, the mkdir -p ${varrun} will create /run/lxc as init_var_run_t which dnsmasq can't write its pid into, so we restorecon it after creation (to var_run_t) - The lxc-net systemd .service file needs an [Install] section so that "systemctl enable lxc-net" will work Signed-off-by:Dwight Engen <dwight.engen@oracle.com>
-
Tycho Andersen authored
If we don't close these running lxc-checkpoint via: ssh host "sudo lxc-checkpoint ..." just hangs. We leave stderr open so that subesquent errors will print correctly (and also because for whatever reason it doesn't break ssh :). Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com> Signed-off-by: -
Tycho Andersen authored
Previously, we let criu create the cgroups for a container as it was restoring things. In some cases (i.e. migration across hosts), if the container being migrated was in /lxc/u1-3, it would be migrated to the target host in /lxc/u1-3, even if there was no /lxc/u1-2 (or worse, if there was already an alive container in u1-3). Instead, we use lxc's cgroup_create, and then tell criu where to restore to. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
Tycho Andersen authored
On Tue, Oct 07, 2014 at 07:33:07PM +0000, Tycho Andersen wrote: > This commit is in preparation for the cgroups create work, since we will need > the handler in both the parent and the child. This commit also re-works how > errors are propagated to be less verbose. Here is an updated version: From 941623498a49551411ccf185146061f3f37d3a67 Mon Sep 17 00:00:00 2001 From: Tycho Andersen <tycho.andersen@canonical.com> Date: Tue, 7 Oct 2014 19:13:51 +0000 Subject: [PATCH 1/2] restore: Hoist handler to function level This commit is in preparation for the cgroups create work, since we will need the handler in both the parent and the child. This commit also re-works how errors are propagated to be less verbose. v2: rename error to has_error, handle it correctly, and remove some diff noise Signed-off-by:
-
Tycho Andersen authored
This is in preparation for the cgroups creation work, but also probably just a good idea in general. The ERROR message is handy since we print line nos. it will to give people an indication of what arg was null. Signed-off-by:
-
Serge Hallyn authored
Signed-off-by: -
Andrey Vagin authored
pivot_root can't be called if / is on a ramfs. Currently chroot is called before pivot_root. In this case the standard well-known 'chroot escape' technique allows to escape a container. I think the best way to handle this situation is to make following actions: * clean all mounts, which should not be visible in CT * move CT's rootfs into / * make chroot into / I don't have a host, where / is on a ramfs, so I can't test this patch. Signed-off-by:
Andrey Vagin <avagin@openvz.org> Signed-off-by:
-
Serge Hallyn authored
These all fix various ways that cgroup actions could fail if an unprivileged user's cgroup paths were not all the same for all controllers. 1. in cgm_{g,s}et, use the right controller, not the first in the list, to get the cgroup path. 2. when we pass 'all' to cgmanager for a ${METHOD}_abs, make sure that all cgroup paths are the same. That isn't necessary for methods not taking an absolute path, so split up the former cgm_supports_multiple_controllers() function into two booleans, one telling whether cgm supports it, and another telling us whether cgm supports it AND all controller cgroup paths are the same. 3. separately, do_cgm_enter with abs=true couldn't work if all cgroup paths were not the same. So just ditch that helper and call lxc_cgmanager_enter() where needed, because the special cases would be more complicated. Signed-off-by:
-
- 06 Oct, 2014 1 commit
-
-
Joshua Brunner authored
Interfaces listed by `ip link list` are prefixed with the index identifier. The pattern "^$BRNAME" does not match. - dependencies to ifconfig and ip removed - wait until interface flagged with IFF_UP Ref: https://github.com/torvalds/linux/blob/master/include/uapi/linux/if.hSigned-off-by:
Joshua Brunner <j.brunner@nexbyte.com>
-
- 02 Oct, 2014 1 commit
-
-
Stéphane Graber authored
Don't use $TUSER as it's not defined. Also don't include lxc-test-usernic in extra_DIST. Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 01 Oct, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 29 Sep, 2014 5 commits
-
-
Serge Hallyn authored
This fixes pivot_root on 3.11 and older kernels. Signed-off-by:
-
Stéphane Graber authored
This prevents scripts running with -e to fail when lxc-net doesn't exist. Signed-off-by: -
Jamie Strandboge authored
Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by:
Jamie Strandboge <jamie@canonical.com> Acked-by:
-
Serge Hallyn authored
Signed-off-by:
-
Dwight Engen authored
- move action() from common to sysvinit wrapper since its only really applicable for sysvinit and not the other init systems - fix bug in action() fallback, need to shift away msg before executing action - make lxc-net 98 so it starts before lxc-container (99), otherwise the lxcbr0 won't be available when containers are autostarted - make the default RUNTIME_PATH be /var/run instead of /run. On older distros (like ol6.5) /run doesn't exist. lxc-net will create this directory and attempt to create the dnsmasq.pid file in it, but this will fail when SELinux is enabled because the directory will have the default_t type. Newer systems have /var/run symlinked to /run so you get to the same place in that case. - add %postun to remove lxc-dnsmasq user when pkgs are removed - fix bug in lxc-oracle template that was creating /var/lock/subsys/lxc as a dir and interfering with the init scripts Signed-off-by:
-
- 26 Sep, 2014 1 commit
-
-
Michael H. Warfield authored
This commit is based on the work of: Signed-off-by:
Michael H. Warfield <mhw@WittsEnd.com> A generic changelog would be: - Bring support for lxcbr0 to all distributions - Share the container startup and network configuration logic across distributions and init systems. - Have all the init scripts call the helper script. - Support for the various different distro-specific configuration locations to configure lxc-net and container startup. Changes on top of Mike's original version: - Remove sysconfig/lxc-net as it's apparently only there as a workaround for an RPM limitation and is breaking Debian systems by including a useless file which will get registered as a package provided conffile in the dpkg database and will therefore cause conffile prompts on upgrades... - Go with a consistant coding style in the various init scripts. - Split out the common logic from the sysvinit scripts and ship both in their respective location rather than have them be copies. - Fix the upstart jobs so they actually work (there's no such thing as libexec on Debian systems). Signed-off-by:
-
- 25 Sep, 2014 2 commits
-
-
KATOH Yasufumi authored
Update for commit 2d489f9eSigned-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Serge Hallyn authored
newer lxc uses 'silent' when remounting on shutdown. Silence that denial too Author: Jamie Strandboge <jamie@canonical.com> Signed-off-by:
-
- 24 Sep, 2014 7 commits
-
-
Sergio Jimenez authored
Signed-off-by:
Sergio Jimenez <tripledes@gmail.com> Acked-by:
-
S.Çağlar Onur authored
Signed-off-by:
S.Çağlar Onur <caglar@10ur.org> Acked-by:
-
Andre Nathan authored
Signed-off-by:
Andre Nathan <andre@digirati.com.br> Acked-by:
-
Tycho Andersen authored
With cgmanager, the cgroups are polled on demand, so these steps aren't needed. However, with cgfs, lxc doesn't know about the cgroups for a container and so it can't report any of the statistics about e.g. how much memory or CPU a container is using. Signed-off-by:
-
Tycho Andersen authored
The ->checkpoint() API call didn't exit correctly if criu was killed by a signal instead of exiting, so lxc-checkpoint didn't fail correctly as a result. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 7dc6f6e2Signed-off-by:
-
KATOH Yasufumi authored
Update Japanese lxc.container.conf(5) for commit 93c709b2Signed-off-by:
-
- 23 Sep, 2014 4 commits
-
-
Dwight Engen authored
- keep but rename the lua version as an example of how to use the lua API - got rid of the fairly useless --max argument Signed-off-by:
-
Stéphane Graber authored
Reported-by:
NeilGreenwood <neil.greenwood@gmail.com> Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 22 Sep, 2014 6 commits
-
-
Stéphane Graber authored
To cover all the cases we have around, we need to: - Attempt to use cgm if present (preferred) - Attempt to use cgmanager directly over dbus otherwise - Fallback to cgroupfs Signed-off-by:
-
Serge Hallyn authored
Signed-off-by:
-
Masami Ichikawa authored
This patch fixes following build errors. running build_ext building '_lxc' extension creating build/temp.linux-x86_64-3.4 gcc -pthread -Wno-unused-result -Werror=declaration-after-statement -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fPIC -I../../src -I../../src -I/usr/include/python3.4m -c lxc.c -o ./build/temp.linux-x86_64-3.4/lxc.o lxc.c: In function ‘convert_tuple_to_char_pointer_array’: lxc.c:49:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char **result = (char**) calloc(argc + 1, sizeof(char*)); ^ lxc.c:60:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char *str = NULL; ^ lxc.c: In function ‘Container_get_cgroup_item’: lxc.c:822:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ lxc.c: In function ‘Container_get_config_item’: lxc.c:861:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ lxc.c: In function ‘Container_get_keys’: lxc.c:903:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] char* value = (char*) malloc(sizeof(char)*len + 1); ^ cc1: some warnings being treated as errors error: command 'gcc' failed with exit status 1 Makefile:472: recipe for target 'all' failed make[3]: *** [all] Error 1 make[3]: Leaving directory '/home/masami/codes/lxc/src/python-lxc' Makefile:394: recipe for target 'all-recursive' failed make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory '/home/masami/codes/lxc/src' Makefile:338: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/masami/codes/lxc/src' Makefile:484: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 build env: distribution: Arch Linux gcc version 4.9.1 20140903 (prerelease) (GCC) Signed-off-by:Masami Ichikawa <masami256@gmail.com> Acked-by:
-
Serge Hallyn authored
Otherwise the check will return false if securityfs was not mounted by the container's configuration. In the past we let that quietly proceed, but unconfined. Now that we restrict such container starts, this caused lxc-test-apparmor to fail. Signed-off-by:
-
Serge Hallyn authored
(Dwight, I took the liberty of adding your Ack but the code did change a bit to continue passing the char *label from attach. Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1" does attach you to the p2 profile) Apparmor policies require mount restrictions to fullfill many of their promises - for instance if proc can be mounted anywhere, then 'deny /proc/sysrq-trigger w' prevents only accidents, not malice. The mount restrictions are not available in the upstream kernel. We can detect their presence through /sys. In the past, when we detected it missing, we would not enable apparmor. But that prevents apparmor from helping to prevent accidents. At the same time, if the user accidentaly boots a kernel which has regressed, we do not want them starting the container thinking they are more protected than they are. This patch: 1. adds a lxc.aa_allow_incomplete = 1 container config flag. If not set, then any container which is not set to run unconfined will refuse to run. If set, then the container will run with apparmor protection. 2. to pass this flag to the apparmor driver, we pass the container configuration (lxc_conf) to the lsm_label_set hook. 3. add a testcase. To test the case were a kernel does not provide mount restrictions, we mount an empty directory over the /sys/kernel/security/apparmor/features/mount directory. In order to have that not be unmounted in a new namespace, we must test using unprivileged containers (who cannot remove bind mounts which hide existing mount contents). Signed-off-by:
-
Serge Hallyn authored
This idea came from Andy Lutomirski. Instead of using a temporary directory for the pivot_root put-old, use "." both for new-root and old-root. Then fchdir into the old root temporarily in order to unmount the old-root, and finally chdir back into our '/'. Drop lxc.pivotdir from the lxc.container.conf manpage. Warn when we see a lxc.pivotdir entry (but keep it in the lxc.conf for now). Signed-off-by:
-
- 19 Sep, 2014 2 commits
-
-
William Dauchy authored
quiet mode was overriden by the double call of lxc_log_init see lxc_container_new use lxc_log_options_no_override in order to fix this Signed-off-by:
William Dauchy <william@gandi.net>
-
Serge Hallyn authored
Introduce a new list of controllers just containing "all". Make the lists of controllers null-terminated. If the cgmanager api version is high enough, use the 'all' controller rather than walking all controllers, which should greatly reduce the amount of dbus overhead. This will be especially important for those going through a cgproxy. Also remove the call to cleanup cgroups when a cgroup existed. That usually fails (and failure is ignored) since the to-be-cleaned-up cgroup is busy, but we shouldn't even be trying. Note this can create for extra un-cleanedup cgroups, however it's better than us accidentally removing a cgroup that someone else had created and was about to use. Signed-off-by:
-
