- 14 Jul, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 13 Jul, 2014 4 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Reported-by: Michael J. Evans Signed-off-by: -
Alexander Dreweke authored
Signed-off-by:
Alexander Dreweke <alexander@dreweke.net> Acked-by:
-
Alexander Dreweke authored
added space ">/" -> "> /" Signed-off-by:
-
- 07 Jul, 2014 5 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
This is based on the patch submitted by: Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com> Updated to use lxc.version rather than @LXC_VERSION@ and to apply to both lxc-ls and lxc-device rather than just the former. Signed-off-by: -
Dorian Eikenberg authored
Signed-off-by:
Dorian Eikenberg <dorian.eikenberg@uni-duesseldorf.de> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com> Acked-by:
-
Yuto KAWAMURA(kawamuray) authored
Currently do_reboot_and_check() is decreasing timeout variable even if it is set to -1, so running 'lxc-stop --reboot --timeout=-1 ...' will exits immediately at end of second iteration of loop, without waiting container reboot. Also, there is no need to call gettimeofday if timeout is set to -1, so these statements should be evaluated only when timeout is enabled. Signed-off-by:
Yuto KAWAMURA(kawamuray) <kawamuray.dadada@gmail.com> Acked-by:
-
Yuto KAWAMURA(kawamuray) authored
/etc/filesystems could be contain blank lines and comments. Change find_fstype_cb() to ignore blank lines and comments which starts with '#'. Signed-off-by:
-
- 04 Jul, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 03 Jul, 2014 3 commits
-
-
Rodrigo Vaz authored
Signed-off-by:
Rodrigo Sampaio Vaz <rodrigo@heroku.com> Acked-by:
-
Serge Hallyn authored
New kernels require that to have privilege over a file, your userns must have the old and new groups mapped into your userns. So if a file is owned by our uid but another groupid, then we have to chgrp the file to our primary group before we can try (in a new user namespace) to chgrp the file to a group id in the namespace. But in some cases (when cloning) the file may already be mapped into the container. Now we cannot chgrp the file to our own primary group - and we don't have to. So detect that case. Only try to chgrp the file to our primary group if the file is owned by our euid (i.e. not by the container) and the owning group is not already mapped into the container by default. With this patch, I'm again able to both create and clone containers with no errors again. Reported-by:
S.Çağlar Onur <caglar@10ur.org> Signed-off-by:
-
Stéphane Graber authored
This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by:
-
- 30 Jun, 2014 17 commits
-
-
Jesse Tane authored
Signed-off-by:
Jesse Tane <jesse.tane@gmail.com> Acked-by:
-
Stéphane Graber authored
stat.st_gid is unsigned long in bionic instead of the expected gid_t, so just cast it to gid_t. Signed-off-by:
-
TAMUKI Shoichi authored
Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work lxc-destroy with unprivileged containers on recent kernel. Signed-off-by:
TAMUKI Shoichi <tamuki@linet.gr.jp> Acked-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
TAMUKI Shoichi authored
Change chown_mapped_root() to map in both the root uid and gid, not just the uid, so as to work lxc-start with unprivileged containers on recent kernel. Signed-off-by:
-
Alexander Vladimirov authored
Signed-off-by:
Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com> Acked-by:
-
Serge Hallyn authored
Previously this was done by strncpy, but now we just read the len bytes - not including \0 - from a pipe, so pre-fill @value with 0s to be safe. This fixes the python3 api_test failure. Signed-off-by: -
Serge Hallyn authored
This allows users to get/set cgroup settings when logged into a different session than that from which they started the container. There is no cgmanager command to do an _abs variant of cgmanager_get_value and cgmanager_set_value. So we fork off a new task, which enters the parent cgroup of the started container, then can get/set the value from there. The reason not to go straight into the container's cgroup is that if we are freezing the container, or the container is already frozen, we'll freeze as well :) The reason to fork off a new task is that if we are in a cgroup which is set to remove-on-empty, we may not be able to return to our original cgroup after making the change. This should fix https://github.com/lxc/lxc/issues/246Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Alexander Vladimirov authored
write_config doesn't check the value sig_name function returns, this causes write_config to produce corrupted container config when using non-predefined signal names. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
Blacklist module loading, kexec, and open_by_handle_at (the cause of the not-docker-specific dockerinit mounts namespace escape). This should be applied to all arches, but iiuc stgraber will be doing some reworking of the commonizations which will simplify that, so I'm not doing it here. Signed-off-by:
-
Serge Hallyn authored
When calling seccomp_rule_add(), you must pass the native syscall number even if the context is a 32-bit context. So use resolve_name rather than resolve_name_arch. Enhance the check of /proc/self/status for Seccomp: so that we do not enable seccomp policies if seccomp is not built into the kernel. This is needed before we can enable by-default seccomp policies (which we want to do next) Fix wrong return value check from seccomp_arch_exist, and remove needless abstraction in arch handling. Signed-off-by:
-
Serge Hallyn authored
seccomp_ctx is already a void*, so don't use 'scmp_filter_ctx *' Separately track the native arch from the arch a rule is aimed at. Clearly ignore irrelevant architectures (i.e. arm rules on x86) Don't try to load seccomp (and don't fail) if we are already seccomp-confined. Otherwise nested containers fail. Make it clear that the extra seccomp ctx is only for compat calls on 64-bit arch. (This will be extended to arm64 when libseccomp supports it). Power may will complicate this (if ever it is supported) and require a new rethink and rewrite. NOTE - currently when starting a 32-bit container on 64-bit host, rules pertaining to 32-bit syscalls (as opposed to once which have the same syscall #) appear to be ignored. I can reproduce that without lxc, so either there is a bug in seccomp or a fundamental misunderstanding in how I"m merging the contexts. Rereading the seccomp_rule_add manpage suggests that keeping the seccond seccomp context may not be necessary, but this is not something I care to test right now. If it's true, then the code could be simplified, and it may solve my concerns about power. With this patch I'm able to start nested containers (with seccomp policies defined) including 32-bit and 32-bit-in-64-bit. [ this patch does not yet add the default seccomp policy ] Signed-off-by:
-
Dwight Engen authored
Signed-off-by:
Dwight Engen <dwight.engen@oracle.com> Acked-by:
-
Dwight Engen authored
Signed-off-by:
-
Dwight Engen authored
Commit 0af683cf added clearing of capabilities to lxc-init, but only after lxc_setup_fs() was done, likely so that the mounting done in that routine wouldn't fail. However, in my testing lxc_caps_reset() wasn't really effective anyway since it did not clear the bounding set. Adding prctl PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I don't think its necessary to forcefully clear all capabilities since users can now specify lxc.cap.keep = none to drop all capabilities. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
- 18 Jun, 2014 2 commits
-
-
Serge Hallyn authored
If a syscall is listed which is not resolvable, continue. This allows us to keep a more complete list of syscalls in a global seccomp policy without having to worry about older kernels not supporting the newer syscalls. Signed-off-by:
-
Leonid Isaev authored
Signed-off-by:
Leonid Isaev <lisaev@umail.iu.edu> Acked-by:
-
- 17 Jun, 2014 1 commit
-
-
Stéphane Graber authored
-P was only used for log setup and not when retrieving the container list. Signed-off-by:
-
- 14 Jun, 2014 3 commits
-
-
Stéphane Graber authored
Some error messages in lxc-test-apparmor didn't end with a newline, leading to slightly difficult to read output. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
The use of the download template with an hardcoded --arch=amd64 in aa.c was causing test failures on any platform incapable of running amd64 binaries. This wasn't noticed in the CI environment as we run the tests within containers on an amd64 kernel but this caused failures on the Ubuntu CI environment. Instead, let's use the busybox template, tweaking the configuration when needed to match the needs of the testcase. Signed-off-by:
-
- 13 Jun, 2014 1 commit
-
-
Stéphane Graber authored
Signed-off-by:
-
- 10 Jun, 2014 2 commits
-
-
Stéphane Graber authored
lxc-test-autostart occasionaly fails at the restart test in the CI environment. Looking at the current test case, the most obvious race there is if lxc-wait exists succesfuly immediately after LXC marked the container RUNNING (init spawned) but before init had a chance to setup the signal handlers. To avoid this potential race period, let's add a 5s delay between the tests to give a chance for init to finish starting up. Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
