Christian Brauner
ec0befee94
commands: don't deref after NULL check
...
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-28 03:58:54 +01:00
Christian Brauner
bf0b9c1ed6
Merge pull request #3567 from blenk92/lxc-attach-selinux
...
lxc-attach: Enable setting the SELinux context
2020-10-27 17:45:46 +01:00
Christian Brauner
a093bb0f5c
Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes
...
cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
2020-10-27 17:44:59 +01:00
Christian Brauner
5fd31e375f
Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes
...
seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
2020-10-27 17:44:38 +01:00
Christian Brauner
10397a8031
Merge pull request #3565 from Drachenfels-GmbH/test-fixes
...
tests: Fix compilation with appamor enabled.
2020-10-27 17:14:16 +01:00
Christian Brauner
dd8d550919
Merge pull request #3564 from Drachenfels-GmbH/fixes
...
lxccontainer: fix lxc_config_item_is_supported
2020-10-27 17:12:51 +01:00
Maximilian Blenk
8455e39efe
lxc-attach: Enable setting the SELinux context
...
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
2020-10-27 17:03:20 +01:00
Ruben Jenster
beff993939
tests: Fix compilation with appamor enabled.
...
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-27 09:48:34 +01:00
Ruben Jenster
6eb516a793
lxccontainer: fix lxc_config_item_is_supported
...
Use exact match instead of longest prefix match
to check whether a config item is supported.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-27 09:47:55 +01:00
Ruben Jenster
7696c1f9d1
Introduce lxc.cgroup.dir.monitor.pivot
...
On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-27 09:23:01 +01:00
Ruben Jenster
15044cd19c
seccomp: Avoid duplicate processing of rules for host native arch.
...
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-27 08:37:52 +01:00
Ruben Jenster
0ff0d23e40
seccomp: Fix handling of pseudo syscalls and improve logging for rule processing.
...
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-27 08:35:00 +01:00
Stéphane Graber
c8fe11552a
Merge pull request #3561 from tenforward/japanese
...
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
2020-10-24 13:59:10 -04:00
KATOH Yasufumi
bf73687ae5
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
...
Update for commit b87ed83bbc
2020-10-25 01:35:35 +09:00
Stéphane Graber
c639f45ee5
Merge pull request #3559 from brauner/2020-10-20/fixes
...
conf: account for early return when sending devpts fd
2020-10-20 12:21:53 -04:00
Christian Brauner
185b9ee91b
conf: account for early return when sending devpts fd
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-20 17:41:06 +02:00
Stéphane Graber
f4da1c37e6
Merge pull request #3558 from brauner/2020-10-20/fixes
...
conf: always send response to parent waiting for devptfs_fd
2020-10-20 08:22:49 -04:00
Christian Brauner
68f3899e4a
conf: always send response to parent waiting for devptfs_fd
...
When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-20 13:34:24 +02:00
Stéphane Graber
1593efb5d7
Merge pull request #3556 from brauner/2020-10-19/fixes
...
startup fixes
2020-10-19 08:29:16 -04:00
Christian Brauner
fbfe5c8208
start: improve devpts fd sending
...
Closes : #3549 .
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-19 12:18:54 +02:00
Christian Brauner
5befd767a6
sync: log synchronization states
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-19 12:18:53 +02:00
Christian Brauner
35f0c46e0d
sync: switch to new error helpers
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-19 12:18:53 +02:00
Stéphane Graber
a282f7792f
Merge pull request #3555 from brauner/2020-10-16/seccomp
...
seccomp: fix compilation on powerpc
2020-10-16 08:17:26 -04:00
Christian Brauner
50926f4b2c
seccomp: fix compilation on powerpc
...
Link: https://launchpadlibrarian.net/502200189/buildlog_snap_ubuntu_bionic_ppc64el_lxd-latest-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-16 12:22:57 +02:00
Wolfgang Bumiller
eb587451d0
Merge pull request #3553 from brauner/2020-10-15/seccomp
...
seccomp: bugfixes
2020-10-15 11:38:49 +02:00
Christian Brauner
dc70d7e4fb
seccomp: improve default notification sending
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-15 10:08:53 +02:00
Christian Brauner
a76fe490dc
seccomp: log invalid seccomp notify ids
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-10-15 09:44:01 +02:00
Christian Brauner
186ff2beaf
Merge pull request #3548 from Drachenfels-GmbH/master
...
seccomp: Check if syscall is supported on compat architecture.
2020-10-13 22:12:29 +02:00
Ruben Jenster
fbec5f832b
seccomp: Check if syscall is supported on compat architecture.
...
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
2020-10-13 17:21:50 +02:00
Stéphane Graber
11d123becb
Merge pull request #3541 from Mingli-Yu/master
...
Remove obsolete setting regarding the Standard Output
2020-09-23 08:01:11 -04:00
Mingli Yu
a7a92a06a4
Remove obsolete setting regarding the Standard Output
...
The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].
Please consider using "journal" or "journal+console"
[1] https://github.com/systemd/systemd/blob/master/NEWS#L202
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2020-09-23 07:03:02 +00:00
Stéphane Graber
c37c7b91af
Merge pull request #3540 from brauner/2020-09-17/fixes_2
...
lxc-usernsexec: setgroups() similar to other places shouldn't fail on…
2020-09-17 13:11:20 -04:00
Christian Brauner
3f6e5c831e
lxc-usernsexec: setgroups() similar to other places shouldn't fail on EPERM
...
FAIL: lxc-tests: lxc-test-usernsexec (1s)
---
as test-userns executing /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec
uid=1001 gid=1001 name=test-userns subuid=165536 subgid=165536 ver=1:4.0.4-0ubuntu3
lxc-utils=1:4.0.4-0ubuntu3 kver=5.8.0-19-generic
USERNSEXEC=lxc-usernsexec
nouidgid: PASS
myuidgid: FAIL - runtest failed 1
$ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -- /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec inside f0
lxc 20200914222824.562 ERROR utils - utils.c:lxc_setgroups:1363 - Operation not permitted - Failed to setgroups()
kid 73112 is gone 1
subuidgid: PASS
bothsets: PASS
mismatch: PASS
ERRORS: myuidgid
---
Reported-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-09-17 17:46:00 +02:00
Stéphane Graber
b324a25500
Merge pull request #3539 from brauner/2020-09-17/fixes
...
commands: don't fail if unfreeze fails
2020-09-17 11:30:14 -04:00
Christian Brauner
8db8adea44
commands: don't fail if unfreeze fails
...
We can e.g. fail the unfreeze because the freezer cgroup is not available and
then we erronously report that stopping the container failed.
Closes : #3471 .
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-09-17 15:51:41 +02:00
Christian Brauner
4226b2e5af
Merge pull request #3532 from alliedtelesis/fix_lxc_attach_crash
...
avoid a NULL pointer dereference in lxc-attach
2020-09-03 10:11:41 +02:00
Christian Brauner
c3941f32de
attach: use lxc_terminal_signal_sigmask_safe_blocked()
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-09-03 08:40:52 +12:00
Christian Brauner
3e3f79bdcd
terminal: introduce lxc_terminal_signal_sigmask_safe_blocked()
...
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-09-03 08:40:42 +12:00
Scott Parlane
d9346e19eb
avoid a NULL pointer dereference in lxc-attach
...
Seems to appear when stderr is a terminal and not stdin or stdout.
Signed-off-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz>
2020-09-02 17:04:45 +12:00
Christian Brauner
9cc837ef2c
Merge pull request #3531 from JingWoo/cleancode
...
remove useless parameters
2020-08-28 12:12:56 +02:00
wujing
a7c6e83042
remove useless parameters
...
Signed-off-by: wujing <Jing.Woo@outlook.com>
2020-08-28 16:49:00 +08:00
Stéphane Graber
46fd283b50
Merge pull request #3530 from brauner/2020-08-25/fixes
...
cgroups: fix armhf builds
2020-08-25 08:45:14 -04:00
Christian Brauner
00f848f31a
Merge pull request #3529 from pranaysrivastava/fixup_rootfs_detection
...
Check only rootfs as filesystem type
2020-08-25 12:30:37 +02:00
Christian Brauner
9fd047d158
cgroups: fix armhf builds
...
Link: https://launchpadlibrarian.net/494473462/buildlog_ubuntu-groovy-armhf.lxc_1%3A4.0.4-0ubuntu2_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-08-25 12:27:10 +02:00
Pranay Kr. Srivastava
97edebfacd
Check only rootfs as filesystem type
...
When detecting if rootfs is on ramfs instead of checking "- rootfs
rootfs" which is the " - <file_system> <device>" information only check
the file system type. This is due to a change introduced in kernel where
ramfs file system doesn't set the device to "rootfs" but instead mark it
as "none". By making sure we only check for "rootfs" as the file system
name we also offer backward compatibility with earlier kernels as well.
The kernel commit that introduced this change was
commit f32356261d44d580649a7abce1156d15d49cf20f
Author: David Howells <dhowells@redhat.com>
Date: Mon Mar 25 16:38:31 2019 +0000
vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new
mount API
Signed-off-by: Pranay Kr. Srivastava <pranay.srivastava@pantacor.com>
2020-08-24 13:40:15 +05:30
Stéphane Graber
c22a1a4a52
Merge pull request #3528 from graysky2/master
...
remove deprecated options in lxc.service fixes #3527
2020-08-21 12:10:50 -04:00
Stéphane Graber
256928ac60
Merge pull request #3526 from brauner/2020-08-21/fixes
...
cgfsng: fix cgroup attach cgroup creation
2020-08-21 12:10:29 -04:00
graysky
0c4cd88d4a
remove deprecated options in lxc.service fixes #3527
...
Signed-off-by: graysky <graysky@archlinux.us>
2020-08-21 06:33:49 -04:00
Christian Brauner
c80c9a70bc
cgfsng: fix cgroup attach cgroup creation
...
�[01m�[Kcgroups/cgfsng.c:�[m�[K In function ‘�[01m�[Kcgroup_attach_leaf.constprop�[m�[K’:
�[01m�[Kcgroups/cgfsng.c:2221:10:�[m�[K �[01;31m�[Kerror: �[m�[Kwriting 1 byte into a region of size 0 [�[01;31m�[K-Werror=stringop-overflow=�[m�[K]
2221 | �[01;31m�[K*slash = '\0'�[m�[K;
| �[01;31m�[K~~~~~~~^~~~~~�[m�[K
�[01m�[Kcgroups/cgfsng.c:2213:8:�[m�[K �[01;36m�[Knote: �[m�[Kat offset -13 to object ‘�[01m�[Kattach_cgroup�[m�[K’ with size 23 declared here
2213 | char �[01;36m�[Kattach_cgroup�[m�[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
| �[01;36m�[K^~~~~~~~~~~~~�[m�[K
�[01m�[Kcgroups/cgfsng.c:2229:10:�[m�[K �[01;31m�[Kerror: �[m�[Kwriting 1 byte into a region of size 0 [�[01;31m�[K-Werror=stringop-overflow=�[m�[K]
2229 | �[01;31m�[K*slash = '/'�[m�[K;
| �[01;31m�[K~~~~~~~^~~~~�[m�[K
�[01m�[Kcgroups/cgfsng.c:2213:8:�[m�[K �[01;36m�[Knote: �[m�[Kat offset -13 to object ‘�[01m�[Kattach_cgroup�[m�[K’ with size 23 declared here
2213 | char �[01;36m�[Kattach_cgroup�[m�[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
| �[01;36m�[K^~~~~~~~~~~~~�[m�[K
�[01m�[Kcgroups/cgfsng.c:2229:10:�[m�[K �[01;31m�[Kerror: �[m�[Kwriting 1 byte into a region of size 0 [�[01;31m�[K-Werror=stringop-overflow=�[m�[K]
2229 | �[01;31m�[K*slash = '/'�[m�[K;
| �[01;31m�[K~~~~~~~^~~~~�[m�[K
�[01m�[Kcgroups/cgfsng.c:2213:8:�[m�[K �[01;36m�[Knote: �[m�[Kat offset -13 to object ‘�[01m�[Kattach_cgroup�[m�[K’ with size 23 declared here
2213 | char �[01;36m�[Kattach_cgroup�[m�[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
| �[01;36m�[K^~~~~~~~~~~~~�[m�[K
Link: https://launchpadlibrarian.net/494354168/buildlog_ubuntu-groovy-armhf.lxc_1%3A4.0.4-0ubuntu1_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-08-21 10:32:03 +02:00
Stéphane Graber
9d3b7c97f0
Merge pull request #3522 from avr1254/master
...
Updated documentation to reflect lack of support for pure cgroupv2
2020-08-17 00:04:30 -04:00
