Sometimes, a container doesn't have /dev/null.
For example, I have this problem with Android container.
This fixes#910 (github) for me.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
The warning has been present since commit 32b37181ea (with no purpose stated).
Support for dynamically linked Busybox has been added since commit bf6cc73696.
Haven't encountered any issues with dynamically linked Busybox in my last
2 years' testing.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The open_without_symlink routine has been specifically created to prevent
mounts with synlinks as source or destination. Keep SYSERROR'ing in that
particular scenario, but leave error handling to calling functions for the
other ones - e.g. optional bind mount when the source dir doesn't exist
throws a nasty error.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Hopefully this will avoid name collisions with any user binaries, since
criu is just an implementation detail.
Closes#907
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
If we set lxc.console=none, this fd won't exist, so let's not fail if it
doesn't. We already partially handled this case correctly, so let's
actually handle it correctly :)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
We don't pass anything on the restore side since we didn't save anything,
but the restore side will expect something if we pass this. Instead, let's
not pass anything.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
In particular, when CRIU fails before it has its log completely initialized
(e.g. if the log directory doesn't exist, or if the argument parser fails),
it prints this to stdout. Let's log that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
In particular, only create /dev/console when it is set to "none".
Otherwise, we will bind mount a pts device later, so let's just leave it.
Also, when bind mounting the pts device, let's create /dev/console if it
doesn't exist, since it may not already exist due to the above :)
v2: s/ot/to
v3: add O_EXCL so we actually get EEXIST, use the right condition for
mount_console (we want to compare against console.path, not
console.name, and console.path can be null)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
We need to pass nosuid+nexec+nodev to remount to stop the kernel
from denying it.
When remounting the container's path read-write, use the right dest
path.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If cgmanager is running, use it. This allows the admin to simply
stop cgmanager if they don't want to use it. The other way there
is no way to choose to use cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Prevent privileged containers from messing with the host's pci devices
directly. Refuse access under /proc/bus, and drop cap_sys_rawio. Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).
It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
