proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-17 09:03:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
10,986 Commits 6 Branches 17 Tags 29 MiB
37acd20e44
Commit Graph

10986 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ruben Jenster
eb60b5648b Add missing free for monitor_pivot_dir. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-11-05 11:03:18 +01:00
Stéphane Graber
9f39b9e2f4
Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking 
seccomp: fixes
 2020-11-02 12:58:43 -05:00
Christian Brauner
0d724ab4f4
seccomp: log aborted system calls 
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-02 16:48:52 +01:00
Christian Brauner
a60c98aaf6
seccomp: make seccomp notifier fd non-blocking 
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-02 16:48:52 +01:00
Stéphane Graber
7fde74f375
Merge pull request #3568 from brauner/2020-10-28/fixes 
coverity fixes
 2020-10-28 08:02:51 -04:00
Christian Brauner
65129087f4
attach: require that LXC_ATTACH_LSM_LABEL is specified 
to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:16:41 +01:00
Christian Brauner
0dde733e5a
utils: check snprintf return value 
Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:04:42 +01:00
Christian Brauner
8ddf34f7a0
conf: check snprint return value 
Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:03:31 +01:00
Christian Brauner
3715d0c03f
utils: don't deref after NULL check 
Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:01:19 +01:00
Christian Brauner
ec0befee94
commands: don't deref after NULL check 
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 03:58:54 +01:00
Christian Brauner
bf0b9c1ed6
Merge pull request #3567 from blenk92/lxc-attach-selinux 
lxc-attach: Enable setting the SELinux context
 2020-10-27 17:45:46 +01:00
Christian Brauner
a093bb0f5c
Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes 
cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
 2020-10-27 17:44:59 +01:00
Christian Brauner
5fd31e375f
Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes 
seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
 2020-10-27 17:44:38 +01:00
Christian Brauner
10397a8031
Merge pull request #3565 from Drachenfels-GmbH/test-fixes 
tests: Fix compilation with appamor enabled.
 2020-10-27 17:14:16 +01:00
Christian Brauner
dd8d550919
Merge pull request #3564 from Drachenfels-GmbH/fixes 
lxccontainer: fix lxc_config_item_is_supported
 2020-10-27 17:12:51 +01:00
Maximilian Blenk
8455e39efe lxc-attach: Enable setting the SELinux context 
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
 2020-10-27 17:03:20 +01:00
Ruben Jenster
beff993939 tests: Fix compilation with appamor enabled. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:48:34 +01:00
Ruben Jenster
6eb516a793 lxccontainer: fix lxc_config_item_is_supported 
Use exact match instead of longest prefix match
to check whether a config item is supported.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:47:55 +01:00
Ruben Jenster
7696c1f9d1 Introduce lxc.cgroup.dir.monitor.pivot 
On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:23:01 +01:00
Ruben Jenster
15044cd19c seccomp: Avoid duplicate processing of rules for host native arch. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 08:37:52 +01:00
Ruben Jenster
0ff0d23e40 seccomp: Fix handling of pseudo syscalls and improve logging for rule processing. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 08:35:00 +01:00
Stéphane Graber
c8fe11552a
Merge pull request #3561 from tenforward/japanese 
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
 2020-10-24 13:59:10 -04:00
KATOH Yasufumi
bf73687ae5 Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2 
Update for commit b87ed83bbc

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
 2020-10-25 01:35:35 +09:00
Stéphane Graber
c639f45ee5
Merge pull request #3559 from brauner/2020-10-20/fixes 
conf: account for early return when sending devpts fd
 2020-10-20 12:21:53 -04:00
Christian Brauner
185b9ee91b
conf: account for early return when sending devpts fd 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-20 17:41:06 +02:00
Stéphane Graber
f4da1c37e6
Merge pull request #3558 from brauner/2020-10-20/fixes 
conf: always send response to parent waiting for devptfs_fd
 2020-10-20 08:22:49 -04:00
Christian Brauner
68f3899e4a
conf: always send response to parent waiting for devptfs_fd 
When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-20 13:34:24 +02:00
Stéphane Graber
1593efb5d7
Merge pull request #3556 from brauner/2020-10-19/fixes 
startup fixes
 2020-10-19 08:29:16 -04:00
Christian Brauner
fbfe5c8208
start: improve devpts fd sending 
Closes: #3549.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-19 12:18:54 +02:00
Christian Brauner
5befd767a6
sync: log synchronization states 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-19 12:18:53 +02:00
Christian Brauner
35f0c46e0d
sync: switch to new error helpers 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-19 12:18:53 +02:00
Stéphane Graber
a282f7792f
Merge pull request #3555 from brauner/2020-10-16/seccomp 
seccomp: fix compilation on powerpc
 2020-10-16 08:17:26 -04:00
Christian Brauner
50926f4b2c
seccomp: fix compilation on powerpc 
Link: https://launchpadlibrarian.net/502200189/buildlog_snap_ubuntu_bionic_ppc64el_lxd-latest-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-16 12:22:57 +02:00
Wolfgang Bumiller
eb587451d0
Merge pull request #3553 from brauner/2020-10-15/seccomp 
seccomp: bugfixes
 2020-10-15 11:38:49 +02:00
Christian Brauner
dc70d7e4fb
seccomp: improve default notification sending 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-15 10:08:53 +02:00
Christian Brauner
a76fe490dc
seccomp: log invalid seccomp notify ids 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-15 09:44:01 +02:00
Christian Brauner
186ff2beaf
Merge pull request #3548 from Drachenfels-GmbH/master 
seccomp: Check if syscall is supported on compat architecture.
 2020-10-13 22:12:29 +02:00
Ruben Jenster
fbec5f832b seccomp: Check if syscall is supported on compat architecture. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-13 17:21:50 +02:00
Stéphane Graber
11d123becb
Merge pull request #3541 from Mingli-Yu/master 
Remove obsolete setting regarding the Standard Output
 2020-09-23 08:01:11 -04:00
Mingli Yu
a7a92a06a4 Remove obsolete setting regarding the Standard Output 
The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].

Please consider using "journal" or "journal+console"

[1] https://github.com/systemd/systemd/blob/master/NEWS#L202

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
 2020-09-23 07:03:02 +00:00
Stéphane Graber
c37c7b91af
Merge pull request #3540 from brauner/2020-09-17/fixes_2 
lxc-usernsexec: setgroups() similar to other places shouldn't fail on…
 2020-09-17 13:11:20 -04:00
Christian Brauner
3f6e5c831e
lxc-usernsexec: setgroups() similar to other places shouldn't fail on EPERM 
FAIL: lxc-tests: lxc-test-usernsexec (1s)
---
as test-userns executing /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec
uid=1001 gid=1001 name=test-userns subuid=165536 subgid=165536 ver=1:4.0.4-0ubuntu3
lxc-utils=1:4.0.4-0ubuntu3 kver=5.8.0-19-generic
USERNSEXEC=lxc-usernsexec
nouidgid: PASS
myuidgid: FAIL - runtest failed 1
  $ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -- /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec inside f0
  lxc 20200914222824.562 ERROR    utils - utils.c:lxc_setgroups:1363 - Operation not permitted - Failed to setgroups()
  kid 73112 is gone 1
subuidgid: PASS
bothsets: PASS
mismatch: PASS
ERRORS: myuidgid
---

Reported-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-09-17 17:46:00 +02:00
Stéphane Graber
b324a25500
Merge pull request #3539 from brauner/2020-09-17/fixes 
commands: don't fail if unfreeze fails
 2020-09-17 11:30:14 -04:00
Christian Brauner
8db8adea44
commands: don't fail if unfreeze fails 
We can e.g. fail the unfreeze because the freezer cgroup is not available and
then we erronously report that stopping the container failed.

Closes: #3471.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-09-17 15:51:41 +02:00
Christian Brauner
4226b2e5af
Merge pull request #3532 from alliedtelesis/fix_lxc_attach_crash 
avoid a NULL pointer dereference in lxc-attach
 2020-09-03 10:11:41 +02:00
Christian Brauner
c3941f32de attach: use lxc_terminal_signal_sigmask_safe_blocked() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-09-03 08:40:52 +12:00
Christian Brauner
3e3f79bdcd terminal: introduce lxc_terminal_signal_sigmask_safe_blocked() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-09-03 08:40:42 +12:00
Scott Parlane
d9346e19eb avoid a NULL pointer dereference in lxc-attach 
Seems to appear when stderr is a terminal and not stdin or stdout.

Signed-off-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz>
 2020-09-02 17:04:45 +12:00
Christian Brauner
9cc837ef2c
Merge pull request #3531 from JingWoo/cleancode 
remove useless parameters
 2020-08-28 12:12:56 +02:00
wujing
a7c6e83042 remove useless parameters 
Signed-off-by: wujing <Jing.Woo@outlook.com>
 2020-08-28 16:49:00 +08:00