This adds a new list_containers function to the python3 binding and a
matching override in __init__.py that adds the as_object parameter.
This should be compatible to the previous pure python implementation
with the advantage of also listing active non-defined containers (fixing
github issue #68).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This adds an lxc-centos template for crreating CentOS 5+ templates. It
does NOT create CentOS 4 or earlier containers as these are way past
end of life and no longer supported. It is based on the work of
Fajar A. Nugraha <github@fajar.net> who modified an earlier Fedora
template. His work has been brought LARGELY into congruence with
the current Fedora template. It still lacks the distro agnostic
bootstrap and systemd code from the Fedora template but those should
only be relevant with CentOS 7 when that can of worms pops open
sometime next year or so.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous patch added code to add a static route prior to adding the
gateway to the interface.
This commit simply changes the logic so that this is only done on
failure to add the gateway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Just some additional catches for disabling selinux and pam_loginuid.so
thanks to Dwight Engen and the Oracle template.
Also add ssh and ssh-server to the default installation.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This pulls a lot of common code out of lxc_user_nic.c. It also
moves one function from conf.c that was duplicated in lxc_user_nic.c
(It removes a DEBUG statement because (a) it doesn't seem actually
useful and (b) DEBUG doesn't work in network.c).
Also replace the old test of only parsing code with a skeleton for
a full test. (Note - the test will need some work, it's just there
as do-what-i-mean code example)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This adds support for "packages", "user" and "password"
Signed-off-by: Guilhem Lettron <guilhem.lettron@optiflows.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
In general proc gets mounted ahead of time, so init shouldn't
have to do it. Without this patch, you cannot
lxc-execute -n x1 -s lxc.cap.drop=sys_admin /bin/bash
(See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669 for
a bug about this)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is necessary to have the rights to remove files owned by our subuids.
Also update lxc_rmdir_onedev to return 0 on success, -1 on failure.
Callers were not consistent in using it correctly, and this is more
in keeping with the rest of our code.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Always build lxc-usernsexec. Else we require having uidmap
installed on the build host for no good reason. And we never
actually used the NEWUIDMAP path we detected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Added a file "lxc.service" for a systemd service file.
Added a file "lxc-devsetup" to setup /dev/ on startup to support autodev
in containers.
Service file references lxc-devsetup as an ExecStartPre command. The
lxc-devsetup script is not dependent on systemd or Fedora and can
be used at bootup on any system.
Modified lxc.spec.in to install the two new files on Fedora. The systemd
specific code in the lxc.spec file may need some review and conditionalize
for systemd on non-systemd rpm-based systems.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If the container is dir-backed, we don't actually mount it (to
support unprivileged use). So always set the LXC_ROOTFS_MOUNT
to bdev->dest, not to the rootfs path specified in the container
configuration.
This should fix bug http://pad.lv/1253573
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If autodev is not specifically set to 0 or 1, attempts to determine if
systemd is being utilized and forces autodev=1 to prevent host system
conflicts and collisions.
If autodev is enabled and the host /dev is mounted with devtmpfs
or /dev/.lxc is mounted with another file system...
Each container created by a privileged user gets a /dev directory
mapped off the host /dev here:
/dev/.lxc/${name}.$( hash $lxcpath/$name )
Each container created by a non-privileged user gets a /dev/directory
mapped off the host /dev here:
/dev/.lxc/user/${name}.$( hash $lxcpath/$name )
The /dev/.lxc/user is mode 1777 to allow unpriv access.
The /dev/.lxc/{containerdev} is bind mounted into the container /dev.
Fallback on failure is to mount tmpfs into the container /dev.
A symlink is created from $lxcpath/$name/rootfs.dev back to the /dev
relative directory to provid a code consistent reference for updating
container devs.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
There are scenarios in which we want to execute process with specific
privileges elevated.
An example for this might be executing a process inside the container
securely, with capabilities dropped, but not in container's cgroup so
that we can have per process restrictions inside single container.
Similar to namespaces, privileges to be elevated can be OR'd:
lxc-attach --elevated-privileges='CAP|CGROUP' ...
Backward compatibility with previous versions is retained. In case no
privileges are specified behaviour is the same as before: all of them
are elevated.
Signed-off-by: Nikola Kotur <kotnick@gmail.com>
Acked-By: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
get_allotted doesn't get the list of nic names, only the # of nics
allowed to the user. We check the db_file later for existing
number of nics.
Also close the conf file on success, and print filename and errno
if we failed to open conf file.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Temporarily set our euid back to the calling ruid, so that the
access(2) check can succeed based on the euid being the userns
creator.
Also switch from atoi to strtol
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This also fixes possible crashes due to passing NULL to strlen function
Changes since v1;
* Fixed a typo spotted by Serge
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This allows the boot messages to be seen which are useful for monitoring
container startup.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is needed when using the user namespace since the kernel check does
not allow user_ns root to successfully call vhangup(2), and mingetty will
quit in this case.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>