With LXC, you can override the value of an environment variable to
null, but you can't unset an existing variable.
The NVIDIA hook was previously activated when NVIDIA_VISIBLE_DEVICES
was set to null. As a result, it was not possible to disable the hook
by overriding the environment variable in the configuration.
The hook can now be disabled by setting NVIDIA_VISIBLE_DEVICES to
null or to the new special value "void".
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
Since we stopped linking against AppArmor we can now remove the conditional
compilation.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This lets users use the tools with "lxc-* -n <container-name>" or
"lxc-* <container-name>".
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The package has pretty much always been iproute2 with iproute being an
alias for it, the alias is now gone so we need to use iproute2.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Consider the case where we're running in a user namespace but in the host's
mount ns with the host's filesystem (something like
lxc-usernsexec ... lxc-execute ...), in this case, we'll be euid 0, but we
can't actually write to /run. Let's improve this locking check to make sure
we can actually write to /run before we decide to actually use it as our
locking dir.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
lxc_cgroup_set_data: h = get_hierarchy(controller);
if h is NULL, now errno is old, it donot set new one.
And then,
cgfsng_setup_limits:
if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
if (do_devices && (errno == EACCES ||
errno == EPERM)) {
WARN("Error setting %s to %s for %s",
cg->subsystem, cg->value,
d->name);
continue;
}
SYSERROR("Error setting %s to %s for
%s",
cg->subsystem, cg->value,
d->name);
goto out;
}
SYSERROR will show old errno, make me confused.
Signed-off-by: duguhaotian <duguhaotian@gmail.com>
The last user of ip_forward_set, lxc_ip_forward_on and
lxc_ip_forward_off was in 2009:
commit 92d385229b
Author: Daniel Lezcano <dlezcano@fr.ibm.com>
Date: Thu Oct 22 15:33:40 2009 +0200
remove test directory
These functions are not called anymore.
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Since we write the label directly without going through the AppArmor API it
doesn't make sense to link against it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
