There is no guard clause around a reference to CAP_EFFECTIVE and
CAP_SETGID, causing compilation to fail if sys/capability.h is not
available.
Signed-off-by: Brett Neumeier <brett@neumeier.us>
On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as
follows:
Traceback (most recent call last):
File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user
File "/usr/lib/python3.2/subprocess.py", line 515, in check_output
File "/usr/lib/python3.2/subprocess.py", line 732, in __init__
LookupError: unknown encoding: ANSI_X3.4-1968
This is because `universal_newlines=True` causes `subprocess` to use
`io.TextIOWrapper`, and in versions of Python earlier than 3.3 that
fetched the preferred encoding using `locale.getpreferredencoding()`
rather than `locale.getpreferredencoding(False)`, thereby changing the
locale and causing codecs to be reloaded. However, `attach_as_user`
runs inside the container and thus can't rely on having access to the
same Python standard library on disk.
The workaround is to decode by hand instead, avoiding the temporary
change of locale.
Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
Before the change build failed on Gentoo as:
bdev/lxclvm.c: In function 'lvm_detect':
bdev/lxclvm.c:140:4: error: implicit declaration of function 'major' [-Werror=implicit-function-declaration]
major(statbuf.st_rdev), minor(statbuf.st_rdev));
^~~~~
bdev/lxclvm.c:140:28: error: implicit declaration of function 'minor' [-Werror=implicit-function-declaration]
major(statbuf.st_rdev), minor(statbuf.st_rdev));
^~~~~
glibc plans to remove <sys/sysmacros.h> from glibc's <sys/types.h>:
https://sourceware.org/ml/libc-alpha/2015-11/msg00253.html
Gentoo already applied glibc patch to experimental glibc-2.24
to start preparingfor the change.
Autoconf has AC_HEADER_MAJOR to find out which header defines
reqiured macros:
https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Headers.html
This change should also increase portability across other libcs.
Bug: https://bugs.gentoo.org/604360
Signed-off-by: Sergei Trofimovich <siarheit@google.com>
otherwise init might try to start the containers before cgroupfs was
mounted.
Debian-Bug: https://bugs.debian.org/850212
Signed-off-by: Evgeni Golov <evgeni@debian.org>
We do not check here whether the container is defined, because we support
volatile containers. Which means the container does not need to be created for
it to be started. You can just pass a configuration file as argument and start
the container right away.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc_execute() and lxc-execute where broken when a user tried to switch to a
non-root uid/gid. This prevented necessary setup operations like mounting the
rootfs which require root in the user namespace. This commit separates
switching to root in the user namespace from switching to the requested uid/gid
by lxc_execute().
This should be safe: Once we switched to root in the user namespace via
setuid() and then switch to a non-root uid/gid in the user namespace for
lxc_execute() via setuid() we cannot regain root privileges again. So we can
only make us safer (Unless I forget about some very intricate user namespace
nonsense; which is not as unlikely as I try to make it sound.).
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit adds lxc_switch_uid_gid() which allows to switch the uid and gid of
a process via setuid() and setgid() and lxc_setgroups() which allows to set
groups via setgroups(). The main advantage is that they nicely log the switches
they perform.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Adjust locale setup to official Fedora cloud setup. This will
shrink the image size for e.g. Fedora 25 from around 350MB to
260MB.
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
On some Android systems the lxc folders where containers are stored might be
read-only and so checking for O_RDWR, will effectively make the tools useless
on these systems, so let's dumb the check down to O_RDONLY.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The api_test.py script uses Trusty release by default, which does not
have s390x image. Switch to Xenial to solve this.
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
We need to remove the newline otherwise lxc_safe_uint() will fail as it detects
an invalid (non-numeric) char in the string.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Heavily refactored version of the Fedora container creation template.
Removed compatibility to unsupported Fedora releases including sysvinit
and yum stuff. Added new commandline arguments found in other templates:
--mirror : To set custom HTTP(s) Fedora download mirror
--packages : List of custom packages to install into a new container
--debug : Run with shell script with 'set -x'
There are also some new environment variables which can be used to
customize the template behaviour. See --help output.
Supports Fedora >=24. By default Fedora 25 will be installed except on
Fedora hosts, where the host release is taken. To simplify the code
path (or at least not make it more complex) all non-Fedora hosts will
now use the LiveOS-image based bootstrap environment even when they
would natively support rpm, yum or even dnf (e.g. Gentoo, CentOS).
Mainly runs systemd services by default (journald, networkd, resolved
logind).
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
This mainly affects Trusty. The 3.13 kernel has a broken overlay module which
does not handle symlinks correctly. This is a problem for containers that use
an overlay based rootfs since safe_mount() uses /proc/<pid>/fd/<fd-number> in
its calls to mount().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Previously HAVE_LIBGNUTLS was never set in config.h even if gnutls was
detected as AC_CHECK_LIB default action-if-found was overriden by
enable_gnutls=yes
This patch adds an --enable-gnutls option and will call AC_CHECK_LIB
with the default action to write HAVE_LIBGNUTLS in config.h
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Given commit 330ae3d350:
lxccontainer: detect if we should send SIGRTMIN+3
This is required by systemd to cleanly shutdown. Other init systems should not
have SIGRTMIN+3 in the blocked signals set.
we should stop poking around with sigpwr.target for systemd.
Signed-off-by: Evgeni Golov <evgeni@debian.org>
Enable lxc network config support the following type and link:
lxc.network.type = phys
lxc.network.link = eth+
Here, the suffix '+' will trigger a string pattern matching
and when lxc find any network interfaces name prefixed with
"eth" such as "eth0", "eth1", "ethxxxx" and so on, it will
try to move them into the container's namespace; If it didn't
find any matching, it would do nothing for this configure
line.
Signed-off-by: fli <fupan.li@windriver.com>
