- 16 Mar, 2015 26 commits
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
KATOH Yasufumi authored
Signed-off-by:
KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by:
-
Bogdan Purcareata authored
This patch enables seccomp support for LXC containers running on PowerPC architectures. It is based on the latest PowerPC support added to libseccomp, on the working-ppc64 branch [1]. Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with seccomp support has been tested on ppc and ppc64 architectures, using the default seccomp policy example files delivered with the LXC package. [1] https://github.com/seccomp/libseccomp/commits/working-ppc64 v2: - add #ifdefs in get_new_ctx to fix builds on systems not having SCMP_ARCH_PPC* defined Signed-off-by:
Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com>
-
Erik Mackdanz authored
Fix a typo in the getopt call, should be auth-key not auth_key. Also provide the argument to cat, so the script doesn't hang waiting on stdin. Closes #379 Signed-off-by:
Erik Mackdanz <erikmack@gmail.com> Acked-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stuart Cardall authored
Signed-off-by:Stuart Cardall <developer@it-offshore.co.uk>
-
Bostjan Skufca authored
Signed-off-by:Bostjan Skufca <bostjan@a2o.si>
-
KATOH Yasufumi authored
When a non-thinpool LVM container which have snapshotted clone is destroyed, the LV of snapshotted clone was also deleted. This patch prevent it. The original non-thinpool LVM container of snapshotted clone cannot be now destroyed. Signed-off-by:
-
lxc@zitta.fr authored
follow new gentoo's download server configuration. Should be backported in earlier lxc versions. Signed-off-by:
Guillaume ZITTA <lxc@zitta.fr> Acked-by:
-
Stéphane Graber authored
Signed-off-by: -
Johannes Henninger authored
This prevents on_exit() and atexit() handlers registered by the parent process from being run in the forked intermediate process. Signed-off-by:Johannes Henninger <johannes@henninger.io>
-
KATOH Yasufumi authored
Signed-off-by:
-
KATOH Yasufumi authored
At the commit 18aa217b, the snapshot dir was moved to /var/lib/lxc/c/snaps. Signed-off-by:
-
tukiyo authored
Signed-off-by:tukiyo3 <tukiyo3@gmail.com>
-
Дмитрий Пацура authored
Signed-off-by:Dmitry Patsura <talk@dmtry.me>
-
brauner authored
This enables containers to mount fuse filesystems per default. The mount is designed to be safe. Hence, it can be enabled per default in common.conf. It will lead to a cleaner boot for some unprivileged systemd-based containers. Signed-off-by:
Christian Brauner <christianvanbrauner@gmail.com> Acked-by:
-
Stéphane Graber authored
This resolves the case where /proc/sysrq-trigger doesn't exist by simply ignoring any mount failure on ENOENT. With the current mount list, this will always result in a safe environment (typically the read-only underlay). Closes #425 v2: Don't always show an error Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Tycho Andersen authored
It turns out the process command line is in fact null terminated on the stack; this caused a bug where when the new process title was smaller than the old one, the first environment entry would be rendered as part of the process title. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Acked-by:
-
KATOH Yasufumi authored
lxc-plamo stop: * creating objects under /dev when creating the container * removing /dev population process from original rc script now populate /dev at container boot time, and allow to enable lxc.autodev=1 Signed-off-by:
-
Serge Hallyn authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Tycho Andersen authored
Not all kernels have these macros; they'll just give an EINVAL if/when invoked. Signed-off-by:
-
Tycho Andersen authored
Instead of having a parent process that's called whatever the caller of the library is called, we instead set it to "[lxc monitor] <lxcpath> <container>" Closes #180 v2: check for null in tok for loop, only truncate environment when necessary Signed-off-by:
-
- 30 Jan, 2015 3 commits
-
-
Stéphane Graber authored
Signed-off-by: -
KATOH Yasufumi authored
Update for commit f24a52d5Signed-off-by:
-
Serge Hallyn authored
Because we now create the ttys from inside the container, we had to add an apparmor rule for start-container to bind-mount /dev/pts/** -> /dev/tty*/. However that's not sufficient if the container sets lxc.ttydir, in which case we need to support mounting onto files in subdirs of /dev. Signed-off-by:
-
- 29 Jan, 2015 7 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
We were trying to be smart and use whatever the last part of the container's rootfs path was. However for block devices that doesn't make much sense. I.e. if lxc.rootfs = /dev/md-1, chances are that /var/lib/lxc/c1/md-1 does not exist. So always use the $lxcpath/$lxcname/rootfs, and if it does not exist, try to create it. With this, 'lxc-clone -s -o c1 -n c2' where c1 has an lvm backend is fixed. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1414771Signed-off-by:
-
Serge Hallyn authored
Lxc has always created the ptys for use by console and ttys early on from the monitor process. This has some advantages, but also has disadvantages, namely (1) container ptys counting against the max ptys for the host, and (2) not having a /dev/pts/N in the container to pass to getty. (2) was not a problem for us historically because we bind-mounted the host's /dev/pts/N onto a /dev/ttyN in the container. However, systemd hardocdes a check for container_ttys that the path have 'pts/' in it. If it were only for (2) I'd have opted for a systemd patch to check the device major number, but (1) made it worth moving the openpty to the container namespace. So this patch moves the tty creation into the task which becomes the container init. It then passes the fds for the opened ptys back to the monitor over a unix socketpair (for use by lxc-console). The /dev/console is still created in the monitor process, so that it can for instance be used by lxc.logfd. So now if you have a foreground container with lxc.tty = 4, you should end up with one host /dev/pts entry per container rather than 5. And lxc-console now works with systemd containers. Note that if the container init mounts its own devpts over the one mounted by lxc, the tty /dev/pts/n will be hidden. This is ok since it's only systemd that needs it, and systemd won't do that. Signed-off-by:
-
Stéphane Graber authored
- Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by:
-
- 28 Jan, 2015 4 commits
-
-
Stéphane Graber authored
Signed-off-by:
-
Stéphane Graber authored
Close #406 Signed-off-by:
-
Stéphane Graber authored
Close #421 Signed-off-by:
-
Serge Hallyn authored
The lxc.tty configuration item specifies a number of ttys to create. Historically, for each of those, we create a /dev/pts/N entry and symlink it to /dev/ttyN for older inits to use. For systemd, we should instead specify each tty name in a $container_ttys environment variable passed to init. See http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ and https://github.com/lxc/lxc/issues/419. Signed-off-by:
-
