We really need to split up our code into better chunks so we avoid all of this
duplicated compilation.
Fixes: https://github.com/lxc/lxc/issues/4249
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
Don't build lsm/apparmor.c if apparmor is explicitly disabled by the
user to avoid the following build failure with gcc 4.8:
/home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/bits/fcntl2.h: In function '__apparmor_process_label_open.isra.0':
/home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/bits/fcntl2.h:50:24: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
__open_missing_mode ();
^
Fixes:
- http://autobuild.buildroot.org/results/c9f05ad264543adf429badb99310905427092772
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
It looks like we made a mistake while detecting cgroup layout,
we are always set CGFSNG_LAYOUT_UNIFIED bit.
Reported-by: coverity (CID #1497115)
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
I can't see a real problem here, but let's just add a check
just in case.
Reported-by: coverity (CID #1517314)
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Despite the fact that struct nl_handler is filled zeros
in netlink_open() there are two cases where we have possible
exit paths from the function before netlink_open() is called.
At the same time we have cleaner registered:
call_cleaner(netlink_close)
Two cases:
- netdev_get_flag
- lxc_ipvlan_create
If we are exiting from these functions before netlink_open()
is called we will close random file descriptor by reading
it from (struct nl_handler)->fd.
Let's just properly initialize this structure in all cases
to prevent this bug in the future.
Reported-by: coverity (CID #1517319 and #1517316)
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Should fix
meson.build:494:0: ERROR: C header 'security/pam_modules.h' not found
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
1. install meson (ninja is dependency)
2. run meson setup before ninja build
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Finally, we turn the rootfs into a shared mount. Note, that this
doesn't reestablish mount propagation with the hosts mount
namespace. Instead we'll create a new peer group.
We're doing this because most workloads do rely on the rootfs being
a shared mount. For example, systemd daemon like sytemd-udevd run in
their own mount namespace. Their mount namespace has been made a
dependent mount (MS_SLAVE) with the host rootfs as it's dominating
mount. This means new mounts on the host propagate into the
respective services.
This is broken if we leave the container's rootfs a dependent mount.
In which case both the container's rootfs and the service's rootfs
will be dependent mounts with the host's rootfs as their dominating
mount. So if you were to mount over the rootfs from the host it
would not just propagate into the container's mount namespace it
would also propagate into the service. That's nonsense semantics for
nearly all relevant use-cases. Instead, establish the container's
rootfs as a separate peer group mirroring the behavior on the host.
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
If the monitor runs as root we can assume it's able to remove the cgroups it
created when the container started.
Fixes: https://github.com/lxc/lxd/issues/11108
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
When removing cgroups we can't always use the minimal idmap if the user has
specified a specific map for the container instead of just a simple one.
Execute cgroup removal under the full map.
Fixes: https://github.com/lxc/lxd/issues/11108
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
It's more or less dead. If we care about a service like this we should use
something else.
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
Unfortunately, builds using alpine:edge still break!
Apparently, run_command(...).stdout() must be strip()'ed for variable
assignments
Addendum to 60e292c64a
Fixes issue #4223
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Add the prototype for __clone2(...) that is used on ia64, and adjust the
code to use it via macro tests.
Verified that the code compiles properly on Debian's ia64 porterbox
(yttrium), but was unable to actually run as lxc-test-reboot requires
root privileges.
Signed-off-by: Mathias Gibbens <gibmat@debian.org>
On openSUSE, our packages are build in the Open Build Service which does
not have a proper systemd installation that you can query to get the
systemdunitdir.
The simplest solution is to re-add the ability to explicitly set the
systemdunitdir (as was previously possible with the autotools build
system in pre-5.0 LXC).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
For some reason, openSUSE has a very strange layout in sys/mount.h where
the definition of all of the FS_CONFIG_* idents are present but are
ifdef'd out in such a way that they will never be defined in an actual
build:
#define FSOPEN_CLOEXEC 0x00000001
/* ... */
#ifndef FSOPEN_CLOEXEC
enum fsconfig_command
{
FSCONFIG_SET_FLAG = 0, /* Set parameter, supplying no value */
# define FSCONFIG_SET_FLAG FSCONFIG_SET_FLAG
/* ... */
};
#endif
Unfortunately, while cc.has_header_symbol is faster, it cannot handle
this which results in compilation errors on openSUSE because the
FS_CONFIG_* symbols are actually not defined when compiling even though
the ident is present in the header. Switching to cc.get_define fixes
this issue.
Fixes: cbabe8abf1 ("build: check for FS_CONFIG_* header symbol in sys/mount.h")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Without setting this, the default build will fail if you don't have the
static libcap library installed (on openSUSE this is packaged separately
to libcap-devel).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Among other things, openSUSE places seccomp.h inside a non-default
include directory (/usr/include/seccomp/seccomp.h) which revealed
several issues with how dependencies were being handled previously.
The most notable issue is that the include cflags of our build
dependencies were not being provided to the recipes for static
executables (yet they still expected access to the dependency headers).
This also involved a minor cleanup of how these dependencies are
collected, and added liburing to the set of private pkg-config libs
(which I assume was an oversight?).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
While in principle the pointer could overflow, GCC 12 considers this to
not be possible and issues the following warning:
../src/lxc/cgroups/cgfsng.c: In function ‘__cgfsng_delegate_controllers’:
../src/lxc/cgroups/cgfsng.c:3306:21: warning: the comparison will always evaluate as ‘true’ for the pointer operand in ‘it + 8’ must not be NULL [-Waddress]
3306 | if ((it + 1) && *(it + 1))
| ^
This removes the only build warning triggered when building on openSUSE.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This test will fail on Jammy 5.15, and because of the "set -e" it
will never go through the lxc-stop and lxc-destroy code in the end
of this script. Thus the lxc-test-criu container will not be removed.
Compose a cleanup() and use TRAP to solve this problem.
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Looks like the --force is a flag to stop a running container before
destroying it.
Update the help message accordingly.
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
