Commit Graph

5727 Commits

Author SHA1 Message Date
Jakub Jirutka
72ead1c054
lxc-alpine: use dl-cdn.a.o as default mirror instead of random one
Some mirrors from the mirrors list are not very reliable and it seems
that no one really wants to use some random mirror as the default
option.

Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>
2017-03-14 17:58:19 +01:00
Jakub Jirutka
288142218a
lxc-alpine: add community repository to default repositories
Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>
2017-03-14 17:50:35 +01:00
Christian Brauner
d32e7cd7f3 Merge pull request #1460 from stgraber/master
Patch from Harald Dunkel + tweak
2017-03-14 14:36:02 +01:00
Stéphane Graber
bd657b44e9
Fix mixed tab/spaces in previous patch
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-03-14 12:44:35 +00:00
Harald Dunkel
8fc698019c
Fix lxc-containers to support multiple bridges
Signed-off-by: Harald Dunkel <harald.dunkel@aixigo.de>
2017-03-14 12:42:15 +00:00
Serge Hallyn
7fae49187a Merge pull request #1458 from brauner/2017-01-28/lxc_user_nic_ensure_target_netns_is_caller_owned
lxc-user-nic: improvements
2017-03-12 16:18:06 -05:00
Christian Brauner
9aaaad30ac
conf: only try to delete veth when privileged
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-11 13:12:52 +01:00
Christian Brauner
54e9a0e13d
lxc-user-nic: delete link on failure
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-11 12:42:49 +01:00
Christian Brauner
2b333aee38
lxc-user-nic: improve + bugfix
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-11 12:42:45 +01:00
Christian Brauner
1f109d47e2
lxc-user-nic: re-order #includes
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-11 12:09:08 +01:00
Christian Brauner
16af238036
CVE-2017-5985: Ensure target netns is caller-owned
Before this commit, lxc-user-nic could potentially have been tricked into
operating on a network namespace over which the caller did not hold privilege.

This commit ensures that the caller is privileged over the network namespace by
temporarily dropping privilege.

Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-09 11:35:16 -05:00
Christian Brauner
7c583068ce Merge pull request #1453 from hallyn/2017-03-06/seccomp
seccomp: set SCMP_FLTATR_ATL_TSKIP if available
2017-03-06 22:43:06 +01:00
Serge Hallyn
127c52930b seccomp: set SCMP_FLTATR_ATL_TSKIP if available
Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2017-03-06 14:30:50 -06:00
Serge Hallyn
81e4574cc2 Merge pull request #1449 from brauner/2017-03-03/fix_trim
cgfsng: make trim() safer
2017-03-02 18:16:16 -06:00
Christian Brauner
2c28d76baa
cgfsng: make trim() safer
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-03-03 00:33:40 +01:00
Stéphane Graber
fb8df267ca Merge pull request #1447 from brauner/2017-02-27/fix_logging_timestamps
log: fix lxc_unix_epoch_to_utc()
2017-02-27 11:50:21 -05:00
Christian Brauner
86698d3885
log: fix lxc_unix_epoch_to_utc()
The conversion algorithm used uses a clever trick by letting a year start at 1
March. So we need to add 1 for January and February.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-27 16:02:24 +01:00
Stéphane Graber
e3e54165fe Merge pull request #1445 from brauner/2017-02-26/dumb_down_invalid_sigchld_warning
start: dumb down SIGCHLD from WARN() to NOTICE()
2017-02-26 11:12:43 -05:00
Christian Brauner
af4c0f05fc
start: dumb down SIGCHLD from WARN() to NOTICE()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-26 12:51:30 +01:00
Christian Brauner
8d7638c73f Merge pull request #1417 from zorun/master
debian template: Allow to embed a SSH public key in the new container
2017-02-25 03:02:41 +01:00
Christian Brauner
ad7d44ffec Merge pull request #1444 from evgeni/kill-squeeze
squeeze is not a supported release anymore, drop the key
2017-02-23 22:16:32 +01:00
Evgeni Golov
ac12a36f9c squeeze is not a supported release anymore, drop the key
Signed-off-by: Evgeni Golov <evgeni@debian.org>
2017-02-23 22:04:56 +01:00
Stéphane Graber
6a1fcb8fb1 Merge pull request #1442 from mkeeler/master
Fix issue with the clonehostname hook not working for overlayfs snapshot clones
2017-02-23 12:47:10 -05:00
Matt Keeler
cd85f31e26 Use LXC_ROOTFS_MOUNT in clonehostname hook
Previously this hook did not work when cloning containers using an overlayfs snapshot as the LXC_ROOTFS_PATH didn't point to the actual filesystem that the container would see. LXC_ROOTFS_MOUNT should be used instead and in fact lxc.container.conf man page says that you usually would want to use the _MOUNT variant.

Signed-off-by: Matt Keeler <mjkeeler7@gmail.com>
2017-02-23 10:13:16 -05:00
Christian Brauner
4fbf4a3172 Merge pull request #1441 from tych0/only-do-bind-mounts
c/r: only supply --ext-mount-map for bind mounts
2017-02-22 18:29:41 +01:00
Christian Brauner
f79384762e Merge pull request #1438 from stgraber/master
lxc-download: Bump compat level to 4
2017-02-19 23:13:31 +01:00
Stéphane Graber
3ab18243f2
lxc-download: Bump compat level to 4
For templates introduced after LXC 2.0 was released.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-02-19 15:17:39 -05:00
Stéphane Graber
5ae75b1d59 Merge pull request #1437 from ganto/lxc-fedora
Various fixes for Fedora bootstrapping on non-Fedora hosts
2017-02-18 11:52:44 -05:00
Reto Gantenbein
3256fa1797 Fix argument parsing for recently added parameters
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:48 +01:00
Reto Gantenbein
e93dfa9c34 Adjust indenting
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:42 +01:00
Reto Gantenbein
509140b0cd Various fixes for bootstrap image download via HTTPS
- Make sure mirror URL is queried for $FEDORA_RELEASE_DEFAULT
- Fix image path for URLs queried via mirror list

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:36 +01:00
Reto Gantenbein
c898497de8 Fix undefined arch on initial bootstrap setup
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-18 17:08:29 +01:00
Christian Brauner
ba54e0846c Merge pull request #1435 from stgraber/master
sabayon: Use /bin/bash
2017-02-18 01:34:51 +01:00
Stéphane Graber
4e133789e1
sabayon: Use /bin/bash
The script is full of bashisms making it break when run with a simple
POSIX shell.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2017-02-17 17:06:23 -05:00
McCabe, Robert J
2f604eb575 Added 'mkdir -p' functionality in create_or_remove_cgroup
This allows us to run LXC containers from within docker

Signed-off-by: McCabe, Robert J <Robert.McCabe@rockwellcollins.com>
2017-02-16 18:12:23 -06:00
Stéphane Graber
a75c00c6d0 Merge pull request #1371 from ganto/lxc-fedora
Complete rework of lxc-fedora template
2017-02-16 22:12:33 +01:00
Christian Brauner
7dbcfe7383
tools: exit with return code of lxc_execute()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-16 02:22:20 +01:00
Tycho Andersen
19d2422b99 c/r: only supply --ext-mount-map for bind mounts
The rest of the mounts can be restored normally.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2017-02-15 11:28:24 -07:00
Serge Hallyn
c5bce6ee3c Merge pull request #1428 from kilobyte/master
fix seccomp blocking x32 guests on amd64 (userspace) hosts
2017-02-14 23:35:02 -06:00
Christian Brauner
1f14c2ea3d Merge pull request #1430 from ffontaine/master
Add HAVE_LIBCAP
2017-02-12 16:32:37 +01:00
Fabrice Fontaine
e37dda7156 Add HAVE_LIBCAP
Currently it is impossible to build lxc with --disable-capabilities if
the user has libcap-dev installed on his system as:
 - calls to cap_xxx functions are not protected by HAVE_LIBCAP defines.
 The whole file is only protected by HAVE_SYS_CAPABILITY_H.
 - AC_CHECK_LIB default action-if-found is overriden by [true] so
 HAVE_LIBCAP is never written to config.h

This patch replaces all HAVE_SYS_CAPABILITY_H checks by HAVE_LIBCAP
checks (fix #1361)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2017-02-12 14:55:05 +01:00
Adam Borowski
11de80d63c seccomp: allow x32 guests on amd64 hosts.
Without this patch, x32 guests (and no others) worked "natively" with x32
host lxc, but not on regular amd64 hosts.  That was especially problematic
as a number of ioctls such as those needed by netfilter don't work in such
scenarios, thus you want to run amd64 on the host.

With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts.

Despite x32 being little used, there's no reason to deny it by default:
the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on
Debian) boot with syscall.x32=y.  If they've done so, it is a reasonable
assumption they want x32 guests.

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
2017-02-12 07:26:54 +01:00
Stéphane Graber
3a5cb1afff Merge pull request #1424 from brauner/2017-02-08/thomasDOTjaroschATintra2netDOTcom_pty_sigttou
lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
2017-02-08 17:07:26 +01:00
Stéphane Graber
b93fbd2486 Merge pull request #1425 from cebe/patch-1
Make lxc-net return non-zero on failure
2017-02-08 17:06:33 +01:00
Carsten Brandt
4f4e7141dd
Make lxc-net return non-zero on failure
I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:

    # service lxc-net status
    ● lxc-net.service - LXC network bridge setup
       Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
       Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
      Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
     Main PID: 529 (code=exited, status=0/SUCCESS)
       CGroup: /system.slice/lxc-net.service

    Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
    Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
    Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
    Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.

Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.

Signed-off-by: Carsten Brandt <mail@cebe.cc>
2017-02-08 14:54:02 +01:00
Thomas Jarosch
4dc96430af lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
Prevent an endless loop while executing lxc-attach in the background:

The kernel might fire SIGTTOU while an ioctl() in tcsetattr()
is executed. When the ioctl() is resumed and retries,
the signal handler interrupts it again.

We can't configure the TTY to stop sending
the signals in the first place since that
is a modification/write to the TTY already.

Still we clear the TOSTOP flag to prevent further signals.

Command to reproduce the hang:
----------------------------
cat > lxc_hang.sh << EOF
/usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true
EOF
sh lxc_hang.sh    # hangs
----------------------------

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
2017-02-08 13:50:47 +01:00
Reto Gantenbein
577eb5e3e3 Change Fedora mirror downloads to https by default, rsync optional
This mainly affects the download of the bootstrap image when
running on a non-Fedora host and the initial download of the
repo and release RPMs. The container rootfs creation will then
be verified by dnf against the GPG signatures in the repos RPM.

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-07 07:07:45 +01:00
Reto Gantenbein
52c4c3682d Query Fedora mirror list over HTTPS
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
2017-02-07 07:07:40 +01:00
Stéphane Graber
920da314e6 Merge pull request #1422 from brauner/2017-06-02/clear_config_vals
confile: clear lxc.network.<n>.ipv{4,6} when empty
2017-02-06 23:49:30 +01:00
Christian Brauner
0797e123e0
confile: clear lxc.network.<n>.ipv{4,6} when empty
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2017-02-06 23:08:26 +01:00