Without this change, a request to *.LXC_DOMAIN that doesn't get a local
result from dnsmasq will be forwarded to its upstream server with the
potential of a loop.
Thanks to Ed for the patch on Launchpad (LP: #1246094).
Reported-by: Ed Swierk
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
With this change it's now possible to add wlan devices to the container.
This will track down the right phy device, move it to the right
namespace (we don't care about its name), then if the user asked for a
new device name for the actual interface, we attach to the container and
rename the interface in there using attach.
I have tested this to work with both Intel and Atheros NICs.
This patch is based on the one provided to lxc-devel by Gregor Beck and
has then been updated to do the device renaming as well as minor code
style changes. Thanks!
Reported-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
(this expands on Dwight's recent patch, commit c597baa8f9)
After unshare(CLONE_NEWNS) and before doing any mounting, always
check whether rootfs is shared. Otherwise template runs or clone
scripts can bleed mount activity to the host.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Note that if a task other than init violates the seccomp policy,
we cannot catch that. Init will catch it and (if it feels like
it) log it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The tmpfs was mounted with its default mode (1777) which was then picked
up by overlayfs/aufs as the target's mode.
This led to a world writable / in ephemeral containers.
I have confirmed that this issue doesn't impact lxc-clone.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
It used to be supported with the lxc-create.in script, and
the manpage says it's supported... So let's just support it.
Now
sudo lxc-create -t download --dir /opt/ab -n ab
works, creating the container rootfs under /opt/ab. This
generally isn't something I'd recommend, however telling users
to use a different lxc-path isn't as friendly as I'd like,
because each lxcpath requires separate lxc-ls and lxc-autostart
runs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
always change profile immediately. Otherwise there are weird
corner cases where the profile change may not happen.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Modules should not link to the Lua core library.
See http://lua-users.org/wiki/BuildingModules under
"Do Not Link Modules to the Lua Core Libraries"
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Systems based on systemd mount the root shared by default. We don't want
mounts done during creation by templates nor those done internally by
bdev during rsync based clones to propagate to the root mntns.
The create case already had the right check, but the mount call was
missing "/", so it was failing.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We have added 3 new build servers for Alpine Linux musl libc x86, x86_64
and arm. Add the sha256sum for those keys.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Fix the issues reported by checkbashisms and change back to #!/bin/sh
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Since we're no longer always returning a getenv result or some defined
string, the callers should cleanup the variable after use.
As a result, change from const char* to char*, add the needed free()
everywhere and use strdup() on strings coming from getenv.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
That's to make sure that if the bridge has a higher than 1500
mtu, the new veth (defaulting to 1500) doesn't lower it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This makes get_rundir actually do what I meant it to do... for some
reason I missed that one in testing...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
If get_rundir can't find XDG_RUNTIME_DIR in the environment, it'll
attempt to build a path using ~/.cache/lxc/run/. Should that fail
because of missing $HOME in the environment, it'll then return NULL an
all callers will fail in that case.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
If we are unprivileged and have asked for a veth device, then create
a pipe over which to pass the veth names.
Network-related todos:
1. set mtu on the container side of veth device
2. set mtu in lxc-user-nic. Note that this probably requires an
update to the /etc/lxc/lxc-usernet file :(
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
after commit 4e4ca16158 we are
checking for optional in mntopts after we forcibly remove it.
Cache whether we had it before removing it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Otherwise mount may return -EINVAL if in-kernel super-block parser
objects (as is the case with ext4).
Changelog v2:
also drop 'optional'
specifically drop create=dir, not create=*
fix order of arguments for memmove
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
