With this patch, if an unprivileged user has $HOME 700 or
750 and does
lxc-start -n c1
he'll see an error like:
lxc_container: Permission denied - could not access /home/serge. Please grant it 'x' access, or add an ACL for t he container root.
(This addresses bug pad.lv/1277466)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- Change redirection of fd 200 to 9 (greater than 9 may conflict with
fd the shell uses internally)
- Replace numeric line addressing of ed to regular expression to avoid
correcting the line addressing at each modification of init scripts
- Correct the option order (trivial)
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The goal is to avoid an absolute symlink in the guest redirecting
us to the host's /dev. Thanks to the libvirt team for considering
that possibility!
We want to work on kernels which do not support setns, so we simply
chroot into the container before doing any rm/mknod. If /dev/vda5
is a symlink to /XXX, or /dev is a symlink to /etc, this is now
correctly resolved locally in the chroot.
We would have preferred to use realpath() to check that the resolved
path is not changed, but realpath across /proc/pid/root does not
work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a crash in lxc-autostart following the addition of
lxc_log_init as lxc-autostart doesn't use the name property.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous change to support http proxies only worked when http_proxy
was set... Instead add some detection code and only use :80 when using
http_proxy.
That's a bit of a workaround, but it's the only way I could find to get
GPG to work with http_proxy.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This op will be used on older kernels where container shutdown via reboot(2)
is not implemented and we use the utmp watching code.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- refactor cgroup into two backends, the classic cgfs driver and the new
cgmanager. Instead of lxc_handler knowing about the internals of each,
have it just store an opaque pointer to a struct that is private to
each backend.
- rename a couple of cgroup functions for consistency: those that are
considered an API (ie. exported by lxc.h) begin with lxc_ and those that
are not are just cgroup_*
- made as many backend routines static as possible, only cg*_ops_init is
exported
- made a nrtasks op which is needed by the utmp code for monitoring
container shutdown, currently only implemented for the cgfs backend
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This is just a move without any changes so history will be preserved.
Makefile.am was modified so that lxc will still build and run.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
For all templates except lxc-ubuntu-cloud and lxc-download, detect not
only --mapped-uid but also --mapped-gid and error out. Detecting will
not be done after -- parameter because of non-option parameters.
Also, change the mode of lxc-archlinux.in 100755 to 100644.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Change the license from GPL to LGPL to avoid a tricky license situation
for liblxc.so.
Signed-off-by: Jonas Eriksson <jonas.eriksson@enea.com>
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc.id_map bug when writing directly to /proc/pid/[ug]id_map
There's some code in src/lxc/conf.c that sets up the UID/GID mapping. It
can use the external newuidmap/newgidmap tools, or it can write to
/proc/pid/[ug]id_map directly. The latter case is broken: lines are written
without a newline (\n) at the end. This patch fixes that. Note that
I did not check if the newuidmap/newgidmap case still works. It should,
but I wasn't able to test it.
Signed-off-by: Miquel van Smoorenburg <mikevs@xs4all.net>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This sets lxc_log_define to what should be appropriate values for all
existing binaries that call lxc_log_init.
The name is lxc_<bin name>_ui for anything that's user visible and
lxc_<bin name> for anything that's not.
The parent is set to "lxc" for anything using the API and to the
matching C file name for anything that isn't.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- configure fails to compile the cgmanager test without -lnih -lnih-dbus
- fix include path from cgmanger commit f1d9bd1a
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
In current LXC, loglevel and logfile are write-once functions.
That behaviour was appropriate when those two were first introduced
(pre-API) but with current API, one would expect to be able to
set_config_item those multiple times.
So instead, introduce lxc_log_options_no_override which when called
turns those two config keys read-only and have all existing binaries
which use log_init call that function once they're done setting the
value requested by the user.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
That way templates can fix group ownership alongside uid ownership.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This change introduces a flag --repo to the lxc-centos template
to allow using a local repository (e.g. a loop mounted installer
iso on your web server).
Signed-off-by: Harald Dunkel <harri@afaics.de>
Acked-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
If a user in cgroup /a/b/c does 'lxc-start -n u1', then u1
should be started under /a/b/c/u1. However if he does
'sudo lxc-start -n u1', then that cgroup shoudl start under
/lxc/u1.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
With this change, shutdown() will no longer call stop() after the
timeout, instead it'll just return false and it's up to the caller to
then call stop() if appropriate.
This also updates the bindings, tests and other scripts.
lxc-stop is then updated to do proper option checking and use shutdown,
stop or reboot as appropriate.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In order for attach to work, the container owner must be able to
write to the tasks file. Therefore we make the container's cgroup
owned by the container root group, but the container owner uid.
So for the container root to be allowed to create new cgroups, it
needs group write perms.
With this patch, an unprivileged container with an
lxc.mount.auto = cgroup entry entry can run the cgproxy and pass
all cgmanager tests.
Acls would have been another way to do this, but are not yet being
used/exported by cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The timeout argument should be handled as follows:
-1 => Wait forever
0 => Don't wait
> 0 => Wait for timeout seconds
Without this patch, the 0 case is mapped to -1.
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This introduces a new lxc.rootfs.options which lets you pass new
mountflags/mountdata when mounting the root filesystem.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
To be more consistent with other cgroup_ops methods, in the hopes
of having less return-value-related mixups.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If it (or any variation thereof) is in the container configuration,
then mount /sys/fs/cgroup/cgmanager.lower (if it exists) or
/sys/fs/cgroup/cgmanager into the container so it can run a
cgproxy.
Also make sure to clear our groups when we start or attach to a
container. Else with unprivileged containers we end up with
lots of nogroups listed in /proc/1/status.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The cgroupfs-specific code is moved from attach.c to cgroup.c.
lxc-cgmanager now only chgrps the container's cgroup, so that the
unprivileged user still owns the tasks file allowing him to enter
the container cgroup (for attach).
Some other changes rolled into the cgmanager update:
Make the list of subsystems not per-handler, as it will not change. As
a result, the only state we need to keep in the per-handler cgroup data
is the char *cgroup_path, so we can drop the cgm_data struct altogether.
Catch nih errors (as not doing so causes later crashes).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
| host arch | arm64 | armhf | armel |
-------------------------------------
| arm64 | X | X | X |
| armhf | | X | X |
| armel | | X | X |
-------------------------------------
Although optional, all existing arm64 silicon supports 32bit instructions.
armel/armhf is only a userspace change, so they are interchangeable.
However armhf isn't supported on all armel platforms (e.g. armv6) but
all those we support have hard-float.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
* ppc64el images now exist and generally function.
Instead of failing because an arch isnt in the list,
let that check happen by ability to download something.
* update the hard coded ubuntu releases to know about 'trusty'
and drop no longer supported releases (consistent with behavior
when distro-info is available)
* shorten the logic that decides if host and container arch
are supported.
* support skipping "invalid arch" check entirely via undocumented
variable UCTEMPLATE_SKIP_ARCH_CHECK.
* update usage to reference 'tryreleased' as the default 'stream'
* give good error message if user tries 'released' and there
is no released version available.
Signed-off-by: Scott Moser <smoser@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Change lxc-stop's argument parsing so that it matches what the help option
and the man page both describe.
Signed-off-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
