This lets users use the tools with "lxc-* -n <container-name>" or
"lxc-* <container-name>".
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The package has pretty much always been iproute2 with iproute being an
alias for it, the alias is now gone so we need to use iproute2.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Consider the case where we're running in a user namespace but in the host's
mount ns with the host's filesystem (something like
lxc-usernsexec ... lxc-execute ...), in this case, we'll be euid 0, but we
can't actually write to /run. Let's improve this locking check to make sure
we can actually write to /run before we decide to actually use it as our
locking dir.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
lxc_cgroup_set_data: h = get_hierarchy(controller);
if h is NULL, now errno is old, it donot set new one.
And then,
cgfsng_setup_limits:
if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
if (do_devices && (errno == EACCES ||
errno == EPERM)) {
WARN("Error setting %s to %s for %s",
cg->subsystem, cg->value,
d->name);
continue;
}
SYSERROR("Error setting %s to %s for
%s",
cg->subsystem, cg->value,
d->name);
goto out;
}
SYSERROR will show old errno, make me confused.
Signed-off-by: duguhaotian <duguhaotian@gmail.com>
The last user of ip_forward_set, lxc_ip_forward_on and
lxc_ip_forward_off was in 2009:
commit 92d385229b
Author: Daniel Lezcano <dlezcano@fr.ibm.com>
Date: Thu Oct 22 15:33:40 2009 +0200
remove test directory
These functions are not called anymore.
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Since we write the label directly without going through the AppArmor API it
doesn't make sense to link against it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
r->ops->destroy() returns an int, -1 on error.
When assigned to a bool, this becomes true and hides errors.
Signed-off-by: Michael McCracken <mikmccra@cisco.com>
It's sort of an implementation detail that this exists at all, and we
should probably not pollute the container's mount tables or FS with this.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Now that we have things propagated through init and liblxc correctly, at
least in non-daemon mode, we can exit with the actual exit status of the
task, instead of always succeeding, which is not so helpful.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
This seems slightly counter-intuitive, but IMO it's what we want.
Basically, ->start() should succeed if the container is spawned correctly
(similar to how golang's exec.Cmd.Start() returns nil if the thing spawns
correctly), and users can check error_num (i.e. golang's exec.Cmd.Wait())
to see how it exited.
This preserves previous behavior, which basically was that start was always
successful if the thing actually launched. Since we never kept track of
exit codes, this would always succeed too. Now that we do, it doesn't, and
this change is required.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
