Skip to content

L
lxc
Switch branch/tag
  1. 01 Oct, 2014 1 commit
  3. 29 Sep, 2014 5 commits
  5. 26 Sep, 2014 1 commit
    • Rework init scripts · 0af99319
      Michael H. Warfield authored 
      This commit is based on the work of:
Signed-off-by: 's avatarMichael H. Warfield <mhw@WittsEnd.com>

A generic changelog would be:
 - Bring support for lxcbr0 to all distributions
 - Share the container startup and network configuration logic across
   distributions and init systems.
 - Have all the init scripts call the helper script.
 - Support for the various different distro-specific configuration
   locations to configure lxc-net and container startup.

Changes on top of Mike's original version:
 - Remove sysconfig/lxc-net as it's apparently only there as a
   workaround for an RPM limitation and is breaking Debian systems by
   including a useless file which will get registered as a package provided
   conffile in the dpkg database and will therefore cause conffile prompts
   on upgrades...
 - Go with a consistant coding style in the various init scripts.
 - Split out the common logic from the sysvinit scripts and ship both in
   their respective location rather than have them be copies.
 - Fix the upstart jobs so they actually work (there's no such thing as
   libexec on Debian systems).
Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
Acked-by: 's avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
  7. 25 Sep, 2014 2 commits
  9. 24 Sep, 2014 7 commits
  11. 23 Sep, 2014 4 commits
  13. 22 Sep, 2014 6 commits
    • Fix the unprivileged tests cgroup management · 42e5c987
      Stéphane Graber authored 
      To cover all the cases we have around, we need to:
 - Attempt to use cgm if present (preferred)
 - Attempt to use cgmanager directly over dbus otherwise
 - Fallback to cgroupfs
Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
Acked-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
    • document the new lxc.aa_allow_incomplete flag · 93c709b2
      Serge Hallyn authored 
      Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • Fix build error(ISO C90 specs violation) in lxc.c · dc18b2c9
      Masami Ichikawa authored 
      This patch fixes following build errors.

running build_ext
building '_lxc' extension
creating build/temp.linux-x86_64-3.4
gcc -pthread -Wno-unused-result -Werror=declaration-after-statement -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fPIC -I../../src -I../../src -I/usr/include/python3.4m -c lxc.c -o ./build/temp.linux-x86_64-3.4/lxc.o
lxc.c: In function ‘convert_tuple_to_char_pointer_array’:
lxc.c:49:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char **result = (char**) calloc(argc + 1, sizeof(char*));
     ^
lxc.c:60:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
         char *str = NULL;
         ^
lxc.c: In function ‘Container_get_cgroup_item’:
lxc.c:822:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_config_item’:
lxc.c:861:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_keys’:
lxc.c:903:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
cc1: some warnings being treated as errors
error: command 'gcc' failed with exit status 1
Makefile:472: recipe for target 'all' failed
make[3]: *** [all] Error 1
make[3]: Leaving directory '/home/masami/codes/lxc/src/python-lxc'
Makefile:394: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:338: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:484: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

build env:
distribution: Arch Linux
gcc version 4.9.1 20140903 (prerelease) (GCC)
Signed-off-by: 's avatarMasami Ichikawa <masami256@gmail.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • apparmor: make sure sysfs and securityfs are mounted when checking for mount feature · 85108024
      Serge Hallyn authored 
      Otherwise the check will return false if securityfs was not mounted
by the container's configuration.  In the past we let that quietly
proceed, but unconfined.  Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarDwight Engen <dwight.engen@oracle.com>
    • apparmor: improve behavior when kernel lacks mount restrictions (v2) · 7aff4f43
      Serge Hallyn authored 
      (Dwight, I took the liberty of adding your Ack but the code did
change a bit to continue passing the char *label from attach.
Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1"
does attach you to the p2 profile)

Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only accidents, not
malice.

The mount restrictions are not available in the upstream kernel.
We can detect their presence through /sys.  In the past, when
we detected it missing, we would not enable apparmor.  But that
prevents apparmor from helping to prevent accidents.

At the same time, if the user accidentaly boots a kernel which
has regressed, we do not want them starting the container thinking
they are more protected than they are.

This patch:

1. adds a lxc.aa_allow_incomplete = 1 container config flag.  If
not set, then any container which is not set to run unconfined
will refuse to run.   If set, then the container will run with
apparmor protection.

2. to pass this flag to the apparmor driver, we pass the container
configuration (lxc_conf) to the lsm_label_set hook.

3. add a testcase.  To test the case were a kernel does not
provide mount restrictions, we mount an empty directory over
the /sys/kernel/security/apparmor/features/mount directory.  In
order to have that not be unmounted in a new namespace, we must
test using unprivileged containers (who cannot remove bind mounts
which hide existing mount contents).
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarDwight Engen <dwight.engen@oracle.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • pivot_root: switch to a new mechanism (v2) · 2d489f9e
      Serge Hallyn authored 
      This idea came from Andy Lutomirski.  Instead of using a
temporary directory for the pivot_root put-old, use "." both
for new-root and old-root.  Then fchdir into the old root
temporarily in order to unmount the old-root, and finally
chdir back into our '/'.

Drop lxc.pivotdir from the lxc.container.conf manpage.

Warn when we see a lxc.pivotdir entry (but keep it in the
lxc.conf for now).
Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
  15. 19 Sep, 2014 14 commits