- 06 Sep, 2017 1 commit
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
- 05 Sep, 2017 11 commits
-
-
Stéphane Graber authored
doc: adapt + update
-
Christian Brauner authored
- lxc.id_map -> lxc.idmap - document lxc.cgroup.dir Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Serge Hallyn authored
conf: bugfixes
-
Christian Brauner authored
A bit of context: userns_exec_1() is only used to operate based on privileges for the user's own {g,u}id on the host and for the container root's unmapped {g,u}id. This means we require only to establish a mapping from: - the container root {g,u}id as seen from the host -> user's host {g,u}id - the container root -> some sub{g,u}id This function however was buggy. It relied on some pointer pointing to the same memory, namely specific idmap entries in the idmap list in the container's in-memory configuration. However, due to a stupid mistake of mine, the pointers to be compared pointed to freshly allocated memory. They were never pointing to the intended memory locations. To reproduce what I'm talking about prior to this commit simply place: chb:999:1000000000 chb:999:1 chb:1000:1 in /etc/sub{g,u}id then create a container which requests the following idmappings: lxc.idmap = u 0 999 999 lxc.idmap = g 0 999 1000000000 and start the container. What we *would expect* is for liblxc to establish the following mapping: newuidmap <pid> 0 999 999 newgidmap <pid> 0 999 1000000000 since all required mappings are present. Due to the buggy pointer comparisons what happened was: newuidmap <pid> 0 999 999 0 999 999 newgidmap <pid> 0 999 1000000000 0 999 1000000000 Let's fix this. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
We allocate pty {master,slave} file descriptors in the childs namespaces after we have setup devpts. After we have sent the pty file descriptors to the parent and set up the pty file descriptors under /dev/tty* and before we exec the init binary we need to delete these file descriptors in the child. However, one of my commits made the deletion occur before setting up the file descriptors under /dev/tty*. This caused a failures when trying to attach to the container's ttys since they werent actually configured although the file descriptors were available in the in-memory configuration of the parent. This commit reworks setting up tty such that deletion occurs after all setup has been performed. The commit is actually minimal but needs to also move all the functions into one place since they well now be called from "lxc_create_ttys()". Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Stéphane Graber authored
conf: record idmap that gets written
-
Christian Brauner authored
This will serve us well in the future! Signed-off-by:
-
- 04 Sep, 2017 9 commits
-
-
Stéphane Graber authored
start: document all handler fields
-
Christian Brauner authored
Signed-off-by: -
Stéphane Graber authored
criu: add cmp_version()
-
Federico Briata authored
We cannot use strcmp(). Otherwise we incorrectly report e.g. that criu 2.12.1 is less than 2.8. Signed-off-by:
Federico Briata <federico-pietro.briata@cnhind.com> Signed-off-by:
-
Stéphane Graber authored
console: non-functional change
-
Stéphane Graber authored
conf: don't send ttys when none are configured
-
Christian Brauner authored
It is bad style to close an fd inside a function which didn't create it. Let's rather close it transparently in start.c. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Serge Hallyn authored
network: improvements + bugfixes
-
- 03 Sep, 2017 9 commits
-
-
Christian Brauner authored
Writes < PIPE_BUF will be atomic. PIPE_BUF is guaranteed to be 512 by POSIX and Linux guarantess 4096. Nothing we send around goes over this limit. Signed-off-by: -
Christian Brauner authored
I thought we could send all ttys at once but this limits the number of ttys users can use because of iovec_len restrictions. So let's sent them in batches of 2. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
lxc_mkifname() really doesn't need to allocate any memory. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Also move all functions to network.{c,h}. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Since find_line() was changed before count_entries() started counting lines wrong. It would report maximum reached before you actually reached your alloted maximum. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
-
- 02 Sep, 2017 2 commits
-
-
Christian Brauner authored
Assume the db contained the following entries: chb veth lxcbr0 veth1 chb veth lxcbr0 veth2 chb veth lxdbr0 veth3 chb veth lxdbr0 veth2 didi veth lxcbr0 veth4 And you request cull_entries("chb", "veth", "lxdbr0", "veth3"); lxc-user-nic would wipe any entries that did not match irrespective of whether they existed or not. Let's fix that. Signed-off-by: -
Christian Brauner authored
The code before inserted \0-bytes after every new line which made the db basically unusable. Signed-off-by:
-
- 01 Sep, 2017 8 commits
-
-
Christian Brauner authored
We use data_sock for all things we need to send around between parent and child now. It doesn't make sense to have so many different pipes and sockets if one will do just fine. Signed-off-by: -
Dimitri John Ledkov authored
Signed-off-by:
Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by:
-
Dimitri John Ledkov authored
If netplan is present in the container, configure default networking with neplan instead of ifupdown. Also, do not install ifupdown when boostrapping minbase variant, unless using currently support non-netplan releases (trusty, zenial, zesty). Signed-off-by:
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
liblxc will now correctly log any network device names and ifindeces in their respective network namespaces. So there's no need to record physical network devices any more. This spares us heap allocations and memory we need to have lying around til the container is shutdown. Signed-off-by: -
Christian Brauner authored
On privileged network creation we only retrieved the names and ifindeces of network devices in the host's network namespace. This meant that the monitor process was acting on possibly incorrect information. With this commit we have the child send back the correct device names and ifindeces in the container's network namespace. Signed-off-by: -
Christian Brauner authored
This renames the socketpair() variable "ttysock" to "data_sock" since we will use it to send arbitrary data around, not just ttys anymore. Signed-off-by: -
Christian Brauner authored
Signed-off-by:
-
