This lets users use the tools with "lxc-* -n <container-name>" or
"lxc-* <container-name>".
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The package has pretty much always been iproute2 with iproute being an
alias for it, the alias is now gone so we need to use iproute2.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Consider the case where we're running in a user namespace but in the host's
mount ns with the host's filesystem (something like
lxc-usernsexec ... lxc-execute ...), in this case, we'll be euid 0, but we
can't actually write to /run. Let's improve this locking check to make sure
we can actually write to /run before we decide to actually use it as our
locking dir.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
lxc_cgroup_set_data: h = get_hierarchy(controller);
if h is NULL, now errno is old, it donot set new one.
And then,
cgfsng_setup_limits:
if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
if (do_devices && (errno == EACCES ||
errno == EPERM)) {
WARN("Error setting %s to %s for %s",
cg->subsystem, cg->value,
d->name);
continue;
}
SYSERROR("Error setting %s to %s for
%s",
cg->subsystem, cg->value,
d->name);
goto out;
}
SYSERROR will show old errno, make me confused.
Signed-off-by: duguhaotian <duguhaotian@gmail.com>
The last user of ip_forward_set, lxc_ip_forward_on and
lxc_ip_forward_off was in 2009:
commit 92d385229b
Author: Daniel Lezcano <dlezcano@fr.ibm.com>
Date: Thu Oct 22 15:33:40 2009 +0200
remove test directory
These functions are not called anymore.
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Since we write the label directly without going through the AppArmor API it
doesn't make sense to link against it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
r->ops->destroy() returns an int, -1 on error.
When assigned to a bool, this becomes true and hides errors.
Signed-off-by: Michael McCracken <mikmccra@cisco.com>
It's sort of an implementation detail that this exists at all, and we
should probably not pollute the container's mount tables or FS with this.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Now that we have things propagated through init and liblxc correctly, at
least in non-daemon mode, we can exit with the actual exit status of the
task, instead of always succeeding, which is not so helpful.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
