Commit Graph

302 Commits

Author SHA1 Message Date
Stéphane Graber
97f93be72e
meson: Align SPDX license id
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
2024-04-02 20:42:09 -04:00
Stéphane Graber
a074b3d27c
config/yum: Use SPDX header
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
2024-04-02 17:50:03 -04:00
Lumière Élevé
e88883445a
lxc-net: Enable IPv6 by default
Signed-off-by: Lumière Élevé <88174309+PoneyClairDeLune@users.noreply.github.com>
2024-02-23 16:53:17 -05:00
Alexander Mikhalitsyn
d51ea224e8
config: apparmor: add AppArmor profile for lxc-copy
lxc-copy can start container as lxc-start does in some cases,
so we need to have the same profile for it.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
2024-02-15 17:59:59 +01:00
Stéphane Graber
1fbe1b0813
Merge pull request #4363 from zhaixiaojuan/main
Add loongarch64 support
2024-01-14 22:53:37 +01:00
zhaixiaojuan
df17ac417e Add loongarch64 support
Signed-off-by: zhaixiaojuan <zhaixiaojuan@loongson.cn>
2023-12-21 16:19:15 +08:00
Simon Deziel
abffab441e
config/init: Drop upstart files
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
2023-11-24 14:21:34 -05:00
Alexander Mikhalitsyn
890de07594
lsm: apparmor: allow to change mount propagation
Long story behind this. Many years ago, Stéphane Graber
discovered an issue with apparmor mount rules.

Since
7f2b13275d
commit ("apparmor: Update mount states handling") it was prohibited
to change mount propagation flags, just because adding rules which
allow mount propagation user inside the container gets an ability
to mount everything [1].

Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.

We've also enabled sharing on the container rootfs:
https://github.com/lxc/lxc/pull/4229

Now for many workloads it's needed to change propagation flag to
private (see https://github.com/canonical/craft-parts/pull/400).

Issue:
$ lxc-start -F archlinux-test

systemd 253-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Arch Linux!

bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Failed to remount root directory as MS_SLAVE: Permission denied
(sd-gens) failed with exit status 1.
[!!!!!!] Failed to start up manager.
Exiting PID 1...

Workaround (unsafe):
$ lxc-start -s lxc.apparmor.allow_nesting=1 -s lxc.apparmor.profile=generated -F arch-test

John Johansen (Apparmor maintainer) and LXD team worked on fix [2].
It was merged to stable AppArmor 3.0 and 3.1 branches already.
There is no stable AppArmor version tag for that, but I think it will
be in the AppArmor version 3.0.10.

See also:
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333

Fixes: #4280

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
2023-03-31 14:30:19 +02:00
Scott Moser
4ea0b361f1 Allow fuse mounts in apparmor start-container.
Unprivledged user should be able to do fuse mounts during start-container.
Specifically this solves the problem for un-priv fuse mounting via
pre-hook.

Signed-off-by: Scott Moser <smoser@brickies.net>
2023-02-27 09:07:38 -05:00
Quentin Lyons
4de047f513 lxc-net.in: fix nftables syntax for IPv6 NAT
The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
resulted in the following error when starting the lxc-net.service with
LXC_IPV6_NAT="true" and nftables:

    Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
    Feb 11 18:54:54 pc lxc-net[4936]:                              ^^^^^^^^
    Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
    Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
    Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.

Signed-off-by: Quentin Lyons <36303164+n0p90@users.noreply.github.com>
2023-02-12 02:24:22 +00:00
Serge Hallyn
43ad7816d8 lxc-default-cgns apparmor profile: allow overlay mounts
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2023-01-09 13:36:45 -06:00
Christian Brauner
01ae6d4713
apparmor: allow shared mounts in start-container.in
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
2022-11-29 20:58:14 +01:00
Aleksa Sarai
c6c705bfa3
build: drop build-time systemd dependency
On openSUSE, our packages are build in the Open Build Service which does
not have a proper systemd installation that you can query to get the
systemdunitdir.

The simplest solution is to re-add the ability to explicitly set the
systemdunitdir (as was previously possible with the autotools build
system in pre-5.0 LXC).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2022-10-31 00:07:56 +11:00
Christian Brauner
6bb8d4ce31
config: make lxc-{containers,net}.in executable
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
2022-06-08 18:52:14 +02:00
Stéphane Graber
4c8139f9cf
Remove autotools
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-06-08 00:46:59 -04:00
Stéphane Graber
299f3f80d2
meson: Export LXC_DISTRO_SYSCONF
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-06-02 16:49:58 -04:00
Stéphane Graber
6105cc7f53
meson: Add apparmor profiles
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-30 19:16:42 -04:00
Stéphane Graber
36a53f3026
meson: Add sysconfig
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-30 19:16:41 -04:00
Stéphane Graber
8131bb44ec
meson: Add init scripts
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-30 19:16:40 -04:00
Stéphane Graber
9647df5464
Merge pull request #4115 from terceiro/rename-completion
bash: rename main bash completion file
2022-05-15 16:58:16 -04:00
Stéphane Graber
d9121fff7b
meson: Add remaining scripts
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-12 22:24:04 +02:00
Stéphane Graber
e4e52844c7
meson: Add init helper scripts
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-12 22:24:02 +02:00
Stéphane Graber
c2931f74c5
meson: Add common configs
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-12 22:24:01 +02:00
Stéphane Graber
7c927048f1
meson: Add SELinux configs
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-12 22:23:59 +02:00
Stéphane Graber
9d18059b8d
meson: Add global config
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-12 22:23:58 +02:00
Antonio Terceiro
25d1b3fb09 bash: rename main bash completion file
Since the `lxc` binary is actually provided by lxd, the main
bash-completion file needs to be moved away to not conflict with a bash
completion file provided for the `lxc` binary by lxd.

Signed-off-by: Antonio Terceiro <terceiro@debian.org>
2022-05-12 10:47:18 -03:00
Stéphane Graber
4a858b5665
meson: Add bash completion
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2022-05-01 12:21:53 +02:00
Leesoo Ahn
f97607e02c lxc-net.in: fix failure executing dnsmasq
Failure executing dnsmasq happens if misc dir is not existed as the
following error messages.

localhost.localdomain systemd[1]: Starting LXC network bridge setup...
localhost.localdomain lxc-net[5754]: dnsmasq: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: cannot open or create lease file /usr/local/var/lib/misc/dnsmasq.lxcbr0.leases: No such file or directory
localhost.localdomain dnsmasq[5754]: FAILED to start up
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain lxc-net[5727]: Failed to setup lxc-net.
localhost.localdomain systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
localhost.localdomain systemd[1]: lxc-net.service: Failed with result 'exit-code'.
localhost.localdomain systemd[1]: Failed to start LXC network bridge setup.

Modify 'lxc-net' script to call 'mkdir -p' command if the directory is not
existed before executing dnsmasq daemon.

Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
2022-04-02 20:23:21 +09:00
Antonio Terceiro
b9dd36af0c lxc-net: don't start by default inside lxc
When lxc is installed inside an lxc container, trying to bring up
lxc-net with the default parameters will conflict with the networking
setup for lxc on the host. This breaks all networking inside the
container where lxc is installed.

Signed-off-by: Antonio Terceiro <terceiro@debian.org>
2022-02-02 15:14:09 -03:00
Christian Brauner
e27637b7b9
build: simplify thread local storage handling
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2022-01-20 12:12:59 +01:00
Diederik de Haas
ac46b35693
Replace deprecated backticks with $() construct
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Not only uses this the recommended construct, it also makes the code
more uniform as in many other places the $() construct was already used.

Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
2021-10-28 20:15:29 +02:00
Diederik de Haas
7a7671655a
Replace 'which' with 'command -v'
The 'which' command is deprecated on Debian Sid as it is not POSIX
compliant and it's behavior is therefor not consistent, so replace it
with 'command -v' which is POSIX compliant.
See https://stackoverflow.com/a/677212 for details.

Also replaced a use of backticks (`) as that is deprecated as well.
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.

Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
2021-10-28 17:27:08 +02:00
Heinrich Schuchardt
07459c88d5 Add riscv64 to --arch parameter values
lxc-attach uses an --arch parameter. 'riscv64' should be a usable value.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-10-19 13:18:02 +02:00
Edênis Freindorfer Azevedo
d9be2feb09
Fix lxc-cgroup smart completion.
Also make bash function more readable for itself.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-08 10:40:49 -03:00
Edênis Freindorfer Azevedo
b3dcb19407
Refactor __lxc_check_name_present().
Print name of container found, if any.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
c227466673
Check completion for prefixes names.
If a name is a prefix of another word available for completion, adjust
to show all words with given prefix.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
83ca245532
Add __lxc_cgroup_state_object().
Support cgroup state-object completion values for `lxc-cgroup`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
d36b3a3a9a
Update _lxc_usernsexec.
Not really much can be done for this function, as `-m` requires an ID
mapping that has to be manually input, since it will use
`/etc/sub{g,u}id` if not specified.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
2b86aa4c23
Add completion for lxc-copy param --fssize.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
a33d86d20b
Add __lxc_get_selinux_contexts().
List SElinux contexts available. Not clear if this could be only for
root or if normal user with `sudo` is also supported.

Using `Fedora34` for basic testing.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
4cd0915e76
Refactor __lxc_groups() to __lxc_get_groups().
Make code logic be more clear to what it is being done.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:24:06 -03:00
Edênis Freindorfer Azevedo
f73bcca529
Another round of more bash-like syntax.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:57 -03:00
Edênis Freindorfer Azevedo
b73b4ec7fb
Fix lxc-create completion.
Do not append a name of an existing container.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:57 -03:00
Edênis Freindorfer Azevedo
d72a39a528
Add support for comma as a completion word.
For `lxc-ls --groups` and `lxc-autostart --groups`.
Support leading comma, trailing comma, embedded double comma.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:57 -03:00
Edênis Freindorfer Azevedo
66e8c08985
Refactor __lxc_piped_args.
Use bash functions for common array operations. Keep code logic somewhat
easy to read for bug hunting.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:57 -03:00
Edênis Freindorfer Azevedo
53431db944
Fix lxc-snapshot completion.
For options `-r,--restore` and `-d,--destroy`, we need the container
name to create the list of completion values.

Therefore, it is needed to scan the current command line to check if
there is a container name available.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:57 -03:00
Edênis Freindorfer Azevedo
8617586740
Use more bash-like syntax.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-07 22:23:46 -03:00
Edênis Freindorfer Azevedo
6139460643
Add support for container composed names.
When a container name has whitespace in it
(e.g. created by `lxc-create -t download -n "arch linux"` ),
the completion for other commands should be able to work by adding a
backslash to escape it.

Although it may be interesting to support names between quotes, this
would probably means to have to add quotes to all names. Might not be
interesting just due to an edge case.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-06 17:00:32 -03:00
Edênis Freindorfer Azevedo
8e4c68e67a
Add completion output for lxc-ls --fancy-format.
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-06 17:00:32 -03:00
Edênis Freindorfer Azevedo
8aa4490505
Improve name completion handling.
Use regex to handle short option `-n`, since short options can be
combined (e.g. `-nd`) as long as at max one requires an argument.

Also consider the case when the arg for the long option is not given
together with `--name=`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
2021-09-06 17:00:32 -03:00