Alex Athanasopoulos
b68d0b8c3d
templates: use correct cron version in alpine template
...
Signed-off-by: Alex Athanasopoulos <alex@melato.org>
2016-09-06 17:09:55 +03:00
Christian Brauner
bca94305af
tests: add test for PR_SET_NO_NEW_PRIVS
...
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-06 15:58:52 +02:00
Christian Brauner
955e2a0237
attach, start: declare PR_{S,G}PR_GET_NO_NEW_PRIVS
...
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-06 15:57:46 +02:00
Christian Brauner
222ddc91a8
doc: add lxc.no_new_privs to lxc.container.conf
...
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 22:56:24 +02:00
Christian Brauner
2e812c16a5
attach: use PR_SET_NO_NEW_PRIVS
...
- When we detect that the container, we want to attach to, has been stared with
PR_SET_NO_NEW_PRIVS we attach with PR_SET_NO_NEW_PRIVS as well. (We might
relax this restriction later but let's be strict for now.)
- When LXC_ATTACH_NO_NEW_PRIVS is set in the flags passed to
lxc_attach()/attach_child_main() then we set PR_SET_NO_NEW_PRIVS irrespective
of whether the container was started with PR_SET_NO_NEW_PRIVS or not.
- Set no_new_privs before lsm and seccomp. We probably don't want attach() to
be able to change the lsm or seccomp policy if the container was started with
PR_SET_NO_NEW_PRIVS enabled.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 22:56:22 +02:00
Christian Brauner
ff07d7bb5a
attach: call lxc_container_new() earlier
...
We will reuse the newly initialized container for PR_SET_NO_NEW_PRIVS.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 22:56:20 +02:00
Christian Brauner
1325da7eae
attach_options: add LXC_ATTACH_NO_NEW_PRIVS
...
Add a flag for PR_SET_NO_NEW_PRIVS. It is off by default.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 22:56:17 +02:00
Christian Brauner
029cdff582
start: set PR_SET_NO_NEW_PRIVS when requested
...
Set no_new_privs after setting the lsm label. If we do set it before we aren't
allowed to change the label anymore.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 22:56:06 +02:00
Christian Brauner
5a46f2831e
conf, confile: add option for PR_SET_NO_NEW_PRIVS
...
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-05 20:11:12 +02:00
Christian Brauner
44c4da8e89
Merge pull request #1168 from jerome-pouiller/master
...
configure: add --disable-werror
2016-09-05 20:01:18 +02:00
Stéphane Graber
a47e327c4e
Merge pull request #1169 from brauner/2016-09-04/fix_syslog
...
syslog tweaks
2016-09-05 12:51:57 -04:00
Stéphane Graber
e3197b0c0c
Merge pull request #1167 from brauner/2016-09-03/fix_log_name
...
console: use correct log name
2016-09-05 12:48:25 -04:00
Christian Brauner
83319023ca
tests: add lxc.syslog tests to get_item
...
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-05 00:36:35 +02:00
Christian Brauner
d479e1f70e
tests: fix get_item tests
...
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-05 00:07:08 +02:00
Christian Brauner
76d0127f20
syslog: simplify and model after lxc log functions
...
- add lxc_syslog_priority_to_string()
- add lxc_syslog_priority_to_int()
- remove syslog_facility struct
- add lxc.syslog to lxc_getconfig struct
- adapt config_syslog() callback
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-04 23:37:16 +02:00
Jérôme Pouiller
e9f34eb4e2
configure: add --disable-werror
...
-Werror may break builds on some scenarios with trivialities
(especially during developments).
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>
2016-09-04 09:42:24 +02:00
Christian Brauner
f36e165462
console: use correct log name
...
lxc_console is used with lxc_console.c
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-03 20:05:54 +02:00
Christian Brauner
d04d5ff1ed
Merge pull request #1163 from mabes/fix-libetc-dir
...
templates: remove creation of bogus directory in Debian templates
2016-09-01 17:00:16 +02:00
Maxime BESSON
c45df3b8db
templates: remove creation of bogus directory
...
An incorrect quoting introduced in bf39edb
2016-09-01 16:09:37 +02:00
Stéphane Graber
1f42bbcec5
Merge pull request #1162 from brauner/2016-08-31/remove_halt_symlink
...
templates: rm halt.target -> sigpwr.target symlink
2016-08-31 18:29:32 -04:00
Christian Brauner
8eb62c245e
templates: rm halt.target -> sigpwr.target symlink
...
Given commit 330ae3d350
2016-08-31 23:53:50 +02:00
Christian Brauner
a2226efb4a
Merge pull request #1157 from evgeni/doxygen-no-full-path-names
...
set FULL_PATH_NAMES=NO in doc/api/Doxyfile
2016-08-27 12:21:29 +02:00
Evgeni Golov
fef509cbc5
set FULL_PATH_NAMES=NO in doc/api/Doxyfile
...
otherwise the generated docs have the full build path in them
and nonbody cares that the files were built in
/build/lxc-_BVY2u/lxc-2.0.4/src/lxc/
Signed-off-by: Evgeni Golov <evgeni@debian.org>
2016-08-27 12:14:59 +02:00
Christian Brauner
43ae0e64b7
Merge pull request #1155 from tych0/migration-fixes
...
Migration fixes
2016-08-26 23:53:35 +02:00
Tycho Andersen
f3886023c1
c/r: write status only after trying to parse the pid
...
Previously, we write a "success" status but tried to parse the pid. This
meant that we wouldn't notice a successful restore but failure to parse the
pid, which was a little strange.
We still don't know the child pid, so we will end up with a restored
process tree and a running container, but at least in this case the API
will return false indicating that something failed.
We could kill(-1, 9) in this case, but since liblxc runs as root sometimes
(e.g. LXD), that would be a Very Bad Thing.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2016-08-26 16:29:45 -04:00
Tycho Andersen
1f56665557
remove extra 'ret'
...
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2016-08-26 16:13:06 -04:00
Christian Brauner
605bb3c847
Merge pull request #1154 from stgraber/master
...
c/r: Fix pid_t on some arches
2016-08-26 22:07:58 +02:00
Stéphane Graber
3eba9b495e
c/r: Fix pid_t on some arches
...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2016-08-26 15:43:48 -04:00
Christian Brauner
69dffc98e3
Merge pull request #1152 from tych0/fix-migration-2.0.4
...
c/r: use /proc/self/tid/children instead of pidfile
2016-08-26 18:48:38 +02:00
Tycho Andersen
75d219f0cc
c/r: use /proc/self/tid/children instead of pidfile
...
All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).
In any case, we can just read /proc/self/tid/children, which lists the
child process.
Closes #1150
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
2016-08-26 16:26:50 +00:00
Serge Hallyn
e854c5e315
Merge pull request #1151 from brauner/2016-08-26/fix_lxc_device
...
tools: use boolean for ret in lxc_device.c
2016-08-26 10:48:29 -04:00
Christian Brauner
30a5e4367b
tools: use boolean for ret in lxc_device.c
...
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-26 12:49:23 +02:00
Serge Hallyn
fe8ded6d57
Merge pull request #1139 from brauner/2016-08-18/use_exit_in_all_tools
...
tools: use exit(EXIT_*) everywhere
2016-08-26 06:15:37 -04:00
Christian Brauner
ff475ab9ff
Merge pull request #1145 from glensc/pld-patch
...
add PLD Linux support to upstream repo
2016-08-23 21:33:10 +02:00
Elan Ruusamäe
487ea5f603
templates: add PLD Linux support
...
from pld-linux repo:
https://github.com/pld-linux/lxc/commits/auto/th/lxc-2.0.4-1/lxc-pld.in.sh
https://github.com/pld-linux/lxc/commits/auto/th/lxc-2.0.4-1/lxc-pld.patch
Signed-off-by: Elan Ruusamäe <glen@delfi.ee>
2016-08-23 22:06:17 +03:00
Christian Brauner
f39f2eaaa9
Merge pull request #1148 from glensc/fed-openssl
...
templates: fedora requires openssl binary
2016-08-23 18:58:08 +02:00
Elan Ruusamäe
51f88c5c89
templates: fedora requires openssl binary
...
/usr/share/lxc/templates/lxc-fedora: line 1078: openssl: command not found
Signed-off-by: Elan Ruusamäe <glen@delfi.ee>
2016-08-23 19:32:56 +03:00
Christian Brauner
6cbcf34c00
Merge pull request #1146 from glensc/fd-200
...
use fd 9 instead of 200
2016-08-22 09:26:59 +02:00
Elan Ruusamäe
570c8ed7a1
templates: use fd 9 instead of 200
...
to catch up mksh changes from 17abf27
2016-08-21 12:17:06 +03:00
Stéphane Graber
d67c0621a3
Merge pull request #1144 from brauner/2016-08-19/seccomp_non_functional_changes
...
seccomp: non functional changes
2016-08-19 16:05:14 -04:00
Christian Brauner
f06c6207f3
seccomp: non functional changes
...
- log more errnos
- adapt coding style
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-19 20:50:12 +02:00
Stéphane Graber
2d7821e506
Merge pull request #1141 from brauner/2016-08-19/add_missing_arches
...
confile: add more archs to lxc_config_parse_arch()
2016-08-19 11:58:04 -04:00
Stéphane Graber
55fa32934f
Merge pull request #1142 from brauner/2016-08-19/add_s390x_seccomp_support
...
seccomp: add support for s390x
2016-08-19 11:57:28 -04:00
Christian Brauner
567b204984
seccomp: remove double include and order includes
...
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-19 15:20:22 +02:00
Christian Brauner
be038e4948
seccomp: add support for s390x
...
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-19 11:57:14 +02:00
Christian Brauner
08245e8c1b
confile: add more archs to lxc_config_parse_arch()
...
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-19 11:36:11 +02:00
Christian Brauner
f4b5c87057
Merge pull request #1133 from jcowgill/mips
...
Add MIPS support
2016-08-18 18:49:54 +02:00
James Cowgill
d36c8ae3bf
seccomp: fix strerror()
...
Signed-off-by: James Cowgill <james410@cowgill.org.uk>
2016-08-18 16:49:32 +01:00
James Cowgill
e319eb3478
seccomp: Add mips and mips64 entries to lxc_config_parse_arch
...
Fixes "unsupported personality" warnings when starting containers.
Signed-off-by: James Cowgill <james410@cowgill.org.uk>
2016-08-18 16:49:25 +01:00
James Cowgill
6f943dd9ab
templates: Add mips hostarch detection to debian
...
Signed-off-by: James Cowgill <james410@cowgill.org.uk>
2016-08-18 16:49:15 +01:00
