When calling lxc-create, if the template exists but is not executable, we end with the following error messages which make believe that the template file does not exist when it is merely a execute access problem:
lxc-create: ctn00: utils.c: get_template_path: 918 No such file or directory - bad template: /.../lxc-busybox
lxc-create: ctn00: lxccontainer.c: do_lxcapi_create: 1786 Unknown template "/.../lxc-busybox"
lxc-create: ctn00: tools/lxc_create.c: main: 327 Failed to create container ctn00
Actually internally the errno is lost as the following code triggers a useless access to (strace output):
access("/.../lxc-busybox", X_OK) = -1 ENOENT (No such file or directory)
With the above fix, we get a more explicit error message when the template file is missing the "execute" bit:
lxc-create: bbc: utils.c: get_template_path: 917 Permission denied - Bad template pathname: /tmp/azerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/azerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc
With the above fix, we get a more explicit error message when the pathname of the template file is incorrect:
lxc-create: bbc: utils.c: get_template_path: 917 No such file or directory - Bad template pathname: /tmp/qwerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/qwerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
This file grows indefinitely : upon each DHCP lease renew,
the "nameserver ..dns..." line is added at the end of the file.
Make a "grep" in the file to make sure that the same line
does not already exist.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
As "which busybox" is stored in BUSYBOX_EXE
global variable at startup, use it wherever it is
needed.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Since liblxc is completely in control of the mount entry file we should
only consider a parse successful when EOF is reached.
Closes#2798.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
The busybox template installs default.script in /usr/share/udhcpc/.
But the pathname of "default.script" may vary from one busybox
build to another. As the pathname is displayed in udhcpc's help,
grab it from it.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
If we call lxc-freeze multiple times for an already frozen container, LXC
triggers useless freezing by writing into the "freezer.state" cgroup file.
This is the same when we call lxc-unfreeze multiple times.
Checking the current state with a LXC_CMD_GET_STATE
(calling c->state) would permit to check if the container is FROZEN
or not.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
This reverts commit f1bcfc796e.
The reverted branch breaks starting all seccomp confined containers. Not
even a containers with our standard seccomp profile starts correctly.
This is strong evidence that these changes have never been tested even
with a standard workload. That is unacceptable!
We are still happy to merge that feature but going forward we want tests
that verify that standard workloads and new features work correctly.
seccomp is a crucial part of our security story and I will not let the
be compromised by missing tests!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.
1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: LiFeng <lifeng68@huawei.com>
If cgroup namespaces are not supported we should just record it in the
log and move on.
Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
