The container name can't be NULL so don't give coverity the impression that it
could be.
Silences coverity #1426123.
Silences coverity #1426124.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The only cases where we really need to be privileged with respect
to the host is when we are trying to mknod, and in some cases
to do with a physical network device. This patch leaves the
detection of the network device cases as a TODO.
This should fix the currently broken case of starting a privileged
container with at least one veth nic, nested inside an unprivileged
container.
Cc: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
Sometimes we want to know whether we are privileged wrt our
namespaces, and sometimes we want to know whether we are priv
wrt init_user_ns.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
Issues fixed:
- lxc-centos died about a missing /run directory
- lxc-centos complained about some config files it couldn't modify
- the new container got stuck at startup time for a minute
(literally), waiting for systemd-remount-fs startup script
Of course it still works for RHEL 6, CentOS 6 and 7 as well. I did not
verify earlier CentOS or RHEL releases.
Signed-off-by: Harald Dunkel <harald.dunkel@aixigo.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Perform MS_REMOUNT on mounts with MS_RDONLY.
Signed-off-by: LiFeng <lifeng68@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Set the same environment variables that were used when starting the container
when attaching to the container.
Signed-off-by: LiFeng <lifeng68@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
For the ->execute() case, we want to make sure the application dies when
SIGHUP is received. The next patch will ignore SIGHUP in the lxc monitor,
because tasks inside the container send SIGHUP to init to have it reload
its config sometimes, and we don't want to do that with init.lxc, since it
might actually kill the container if it forwards SIGHUP to the child and
the child can't handle it.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
d76e3e1 inadvertently switched the alarm timeout from sigterm to sigkill.
We really want sigkill here, so let's bring it back.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
With LXC, you can override the value of an environment variable to
null, but you can't unset an existing variable.
The NVIDIA hook was previously activated when NVIDIA_VISIBLE_DEVICES
was set to null. As a result, it was not possible to disable the hook
by overriding the environment variable in the configuration.
The hook can now be disabled by setting NVIDIA_VISIBLE_DEVICES to
null or to the new special value "void".
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
Since we stopped linking against AppArmor we can now remove the conditional
compilation.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
