Otherwise lxc.hook.mount hooks that try to inspect /proc/<pid>/*
will fail.
Cc: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This has annoyed me for a long time, 3.0 seems like the time to fix it :).
I think the way that the log prefix was intended to be used was perhaps a
dynamic prefix per file, but we don't do that today; we include the
filename later in the log message. Instead, we use it as the tool name,
which for liblxc is always "lxc", but could also be things like
"lxc-cgroup" or whatever. There is absolutely no reason to pad this, since
it is always the same for every log file (in fact, we could probably get
rid of the prefix all together, but that seems slightly more drastic).
Instead, let's just drop this padding. Hopefully this will save thousands
of hours of slight annoyance and right scrolling in various pastebins.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
The "display" driver capability will expose /dev/nvidia-modeset:
9398d41d9f
The "--ldcache" argument allows overriding the location of the DSO cache:
41656bf9ed
The "--root" argument allows nvidia-container-cli to execute in a different rootfs:
019fdc14e3
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
We've announced quite a while back and printed out errors and warning everytime
someone used the aufs driver.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.
Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.
Closes#2218Closes#2219
Reported-by: Felix Abecassis <fabecassis@nvidia.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
when compiling lxc with clang-5.0 parse_cap()'s main loop will produce a
warning about a tautological comparision (#2215).
By moving the result of computation into a variable (end) this is no
longer a constant expression. clang-5.0 does not do dataflow analysis at
this point, so it is, to quote someone from #llvm, "morally equivalent"
to casting `(int)i`.
in addition, we also clean up the #if HAVE_LIBCAP to no longer need
its #else branch!
Signed-off-by: Igor Galić <igor.galic@automatic-server.com>
This reverts commit 8d961e28f1.
Unfortunately I don't believe the check is correct in the general case.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
If we're host unpriv but root in our userns, we can't really escape
cgroups. Let's switch the cgroup escape test to reflect this.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
lxc-usernsexec uses some functions (e.g. lxc_map_ids()), which are part of
the lxc library and thus use the WARN etc. macros to emit log messages.
However, it doesn't initialize the log in any way, so these messages go
into the ether.
lxc-usernsexec currently has no log parameters, so let's just log these to
stderr. Someone can do something fancier later if they want.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
