- 14 Aug, 2015 24 commits
-
-
Laurent Vivier authored
URL for packages and LiveOS differs from x86, x86_64 and ARM. This patch allows to select the good mirror URL according to the architecture. Primary architecture: http://mirrors.kernel.org/fedora Secondary architecture: http://mirrors.kernel.org/fedora-secondary The managed secondary architectures are only ppc64 and s390x, the secondary architectures for Fedora 20 (the base of initial bootstrap). Signed-off-by:
Laurent Vivier <Laurent@Vivier.EU> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Serge Hallyn authored
These are two fixes for long, long-standing bugs. 1. When we stop a container from the lxc_cmd stop handler, we kill its init task, then we unfreeze the container to make sure it receives the signal. When that unfreeze succeeds, we were immediately returning 0, without sending a response to the invoker. 2. lxc_cmd returns the length of the field received. In the case of an lxc_cmd_stop this is 16. But a comment claims we expect no response, only a 0. In fact the handler does send a response, which may or may not include an error. So don't call an error just because we got back a response. Signed-off-by:
Stéphane Graber <stgraber@ubuntu.com>
-
Tycho Andersen authored
Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
teruo-oshida authored
$container_rootfs may not be used so 'sed' will try to patch "/etc/init/tty.conf". It must not be correct. Signed-off-by:
Teruo Oshida <teruo.oshida@miraclelinux.com> Acked-by:
-
Serge Hallyn authored
to make sure the parent's read returns. Signed-off-by:
-
KATOH Yasufumi authored
Update for commit 8158c057Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Arjun Sreedharan authored
Signed-off-by:
Arjun Sreedharan <arjun024@gmail.com> Acked-by:
-
Serge Hallyn authored
This is only called at startup so it wasn't a big leak, but it is a leak. Signed-off-by:
-
Serge Hallyn authored
Currently if we are in /user.slice/user-1000.slice/session-c2.scope, and we start an unprivileged container t1, it will be in cgroup 3:memory:/user.slice/user-1000.slice/session-c2.scope/t1. If we then do a 'lxc-cgroup -n t1 freezer.tasks', cgm_get will first switch to 3:memory:/user.slice/user-1000.slice/session-c2.scope then look up 't1's values. The reasons for this are 1. cgmanager get_value is relative to your own cgroup, so we need to be sure to be in t1's cgroup or an ancestor 2. we don't want to be in the container's cgroup bc it might freeze us. But in Ubuntu 15.04 it was decided that 3:memory:/user.slice/user-1000.slice/session-c2.scope/tasks should not be writeable by the user, making this fail. Therefore put all unprivileged cgroups under "lxc/%n". That way the "lxc" cgroup should always be owned by the user so that he can enter. Signed-off-by:
-
Alexandre Létourneau authored
Signed-off-by:Alexandre Letourneau <letourneau.alexandre@gmail.com>
-
Alexandre Létourneau authored
Signed-off-by: -
Achton authored
Signed-off-by:Achton Smidt Winther <mail@achton.net>
-
Stéphane Graber authored
Signed-off-by:
-
KATOH Yasufumi authored
Signed-off-by:
-
Bogdan Purcareata authored
This patch enables seccomp support for LXC containers running on PowerPC architectures. It is based on the latest PowerPC support added to libseccomp, on the working-ppc64 branch [1]. Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with seccomp support has been tested on ppc and ppc64 architectures, using the default seccomp policy example files delivered with the LXC package. [1] https://github.com/seccomp/libseccomp/commits/working-ppc64 v2: - add #ifdefs in get_new_ctx to fix builds on systems not having SCMP_ARCH_PPC* defined Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by:
-
Erik Mackdanz authored
Fix a typo in the getopt call, should be auth-key not auth_key. Also provide the argument to cat, so the script doesn't hang waiting on stdin. Closes #379 Signed-off-by:
Erik Mackdanz <erikmack@gmail.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stuart Cardall authored
Signed-off-by:Stuart Cardall <developer@it-offshore.co.uk>
-
KATOH Yasufumi authored
When a non-thinpool LVM container which have snapshotted clone is destroyed, the LV of snapshotted clone was also deleted. This patch prevent it. The original non-thinpool LVM container of snapshotted clone cannot be now destroyed. Signed-off-by:
-
lxc@zitta.fr authored
follow new gentoo's download server configuration. Should be backported in earlier lxc versions. Signed-off-by:
Guillaume ZITTA <lxc@zitta.fr> Acked-by:
-
Johannes Henninger authored
This prevents on_exit() and atexit() handlers registered by the parent process from being run in the forked intermediate process. Signed-off-by:Johannes Henninger <johannes@henninger.io>
-
tukiyo authored
Signed-off-by:tukiyo3 <tukiyo3@gmail.com>
-
Дмитрий Пацура authored
Signed-off-by:Dmitry Patsura <talk@dmtry.me>
-
- 22 Jul, 2015 2 commits
-
-
Stéphane Graber authored
A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: -
Serge Hallyn authored
This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by:
Tyler Hicks <tyhicks@canonical.com> Acked-by:
-
- 06 Apr, 2015 1 commit
-
-
Serge Hallyn authored
When we are shutting down the lxc network, we should not fail when things go wrong, as that only makes it harder to clean up later. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1429140 in particular Signed-off-by:
-
- 10 Mar, 2015 1 commit
-
-
KATOH Yasufumi authored
Signed-off-by:
-
- 23 Feb, 2015 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 08 Feb, 2015 1 commit
-
-
Stéphane Graber authored
This resolves the case where /proc/sysrq-trigger doesn't exist by simply ignoring any mount failure on ENOENT. With the current mount list, this will always result in a safe environment (typically the read-only underlay). Closes #425 v2: Don't always show an error Signed-off-by:
-
- 30 Jan, 2015 10 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Serge Hallyn authored
We were trying to be smart and use whatever the last part of the container's rootfs path was. However for block devices that doesn't make much sense. I.e. if lxc.rootfs = /dev/md-1, chances are that /var/lib/lxc/c1/md-1 does not exist. So always use the $lxcpath/$lxcname/rootfs, and if it does not exist, try to create it. With this, 'lxc-clone -s -o c1 -n c2' where c1 has an lvm backend is fixed. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1414771Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Close #406 Signed-off-by:
-
Serge Hallyn authored
1. tty5 is not needed 2. the devices should be optional in case they didn't exist in the host / parent-container 3. switch from 'touch $rootfs/dev/$dev' to using create=file in the mount entry. Signed-off-by: -
Serge Hallyn authored
Close #389 We will probably also want to switch the order of the mount attempts, as the new overlay fs should quickly become the more common scenario. Signed-off-by:
-
Stéphane Graber authored
Closes: #403 Signed-off-by: Dwight Engen Acked-by: -
Patrick O'Leary authored
The `index` libc function was removed in POSIX 2008, and `strchr` is a direct replacement. The bionic (Android) libc has removed `index` when you are compiling for a 64-bit architecture, such as AArch64. Signed-off-by:
Patrick O'Leary <patrick.oleary@gmail.com> Acked-by:
-
Vicente Olivert Riera authored
Reuse the code from the Debian template to associate a hwaddr if there is only one veth interface in the container's config file. Signed-off-by:
Vicente Olivert Riera <Vincent.Riera@imgtec.com> Acked-by:
-
Thomas Moschny authored
Signed-off-by:
Thomas Moschny <thomas.moschny@gmail.com> Acked-by:
-
