Container fail to start with configs (as shown below) where the same
vlan id is used for several type=vlan container interfaces.
Then, during the instantiation of the vlan interfaces, an error occurs
because the lxc code tries to assign the same temporary name to both
of them before it is bound into the container.
> lxc.network.type = vlan
> lxc.network.flags = up
> lxc.network.link = eth1
> lxc.network.vlan.id = 3842
> lxc.network.name = iso0
>
> lxc.network.type = vlan
> lxc.network.flags = up
> lxc.network.link = eth2
> lxc.network.vlan.id = 3842
> lxc.network.name = iso1
Signed-off-by: Axel Neumann <neumann@cgws.de>
This isn't the perfect fix. In fact close_all_fds shouldn't be stored
in the lxc_conf. But this will fix the tests short-term.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Riya Khanna reported that with a ramfs rootfs the mount to make
/ rprivate was returning -EFAULT. NULL was being passed as the
mount target. Pass "/" instead.
Reported-by: riya khanna <riyakhanna1983@gmail.com>>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When containers request to be daemonized, close-all-fd is
set to true. But when we switched ot daemonize-by-default we didn't
set close-all-fd by default.
Fix that. In order to do that we have to always have a lxc_conf
object. As a consequence, after this patch we can drop a bunch
of checks for c->lxc_conf existing. We should consider removing
those. This patch does not do that.
This should close https://github.com/lxc/lxc/issues/354
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.
Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Alpine Linux provides yaml files with latest release instead of the old
approach with .latest.txt.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fedora-release has been split into fedora-release and fedora-repos.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is to prevent systemd-journald to enter a 100% cpu loop.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In contrast to what the comment above the line disabling it said,
it seems to work just fine. It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem. This patch adds a seccomp rule to
block umount -f from a container. It also adds that rule
to the default seccomp profile.
Thanks stgraber for the idea :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
There are now two (permitted) ways to add data to netlink message:
1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
original netlink message, then write or memcpy data to that area.
Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.
And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous error message made it look like the host interface name was
the concatenation of both the host and guest interface names.
Closes#374
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 55ae7edb18.
This change caused hangs in the testsuite, specifically with lxc-user-nic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Ran into this when trying to automate stgraber's "GUI in containers"
post.
Signed-off-by: Casey Marshall <casey.marshall@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a copy of patch version 3 for issue #278 on the issue-tracker:
- Allow multiple bind-mounts (--bdir) and multiple cow-mounts (--cdir).
- Further fixes to permissions throughout lxc-start-ephemeral (annotated
in the code).
Signed-off by: Oleg Freedholm <overlayfs@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
