proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-18 01:34:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
11,006 Commits 6 Branches 17 Tags 29 MiB
cdb4f412ff
Commit Graph

11006 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Brauner
c4ef8f4c11
tree-wide: use call_cleaner(netns_freeifaddrs) 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-12-08 12:00:01 +01:00
Stéphane Graber
d1042c9dc4
Merge pull request #3593 from brauner/2020-12-07/bugfixes 
2020 12 07/bugfixes
 2020-12-07 10:25:54 -05:00
Christian Brauner
abd833eb58
macro: bump MAX_GRBUF_SIZE to 2 mb 
Closes #3592.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-12-07 15:39:06 +01:00
Christian Brauner
052535c865
macro: move MAX_GRBUF_SIZE 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-12-07 11:25:58 +01:00
Stéphane Graber
065d331af0
Merge pull request #3589 from tych0/fix-nonet-cleanup 
network: fix LXC_NET_NONE cleanup
 2020-12-02 11:06:46 -05:00
Tycho Andersen
04213960f7 network: fix LXC_NET_NONE cleanup 
We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).

The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:

lxc foo 20201201232059.271 TRACE    network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo 20201201232059.271 ERROR    network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo 20201201232059.271 ERROR    start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace

Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.

I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
 2020-12-02 06:26:18 -08:00
Stéphane Graber
55f7e4d688
Merge pull request #3586 from tenforward/japanese 
doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page
 2020-11-21 10:56:16 -05:00
KATOH Yasufumi
74f9fb2c9d doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page 
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
 2020-11-22 00:26:35 +09:00
Stéphane Graber
4aa5a10e02
Merge pull request #3583 from brauner/2020-11-18/fixes 
commands_utils: fix lxc-wait
 2020-11-18 16:33:10 -05:00
Christian Brauner
d2bab66fa9
commands_utils: fix lxc-wait 
Closes: #3570
Fixes: 7792a5b60f ("commands: add additional check to lxc_cmd_sock_get_state()")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-18 21:06:37 +01:00
Stéphane Graber
2cc8d550f8
Merge pull request #3582 from brauner/2020-11-17/bugfixes 
file_utils: fix config file parsing
 2020-11-17 18:22:50 -05:00
Christian Brauner
7d84e2cd65
file_utils: fix config file parsing 
We accidently used the "bytes_to_write" variable after we've written all the
bytes at which point it is guaranteed to be 0. Let's use the "bytes_read"
variable instead.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-17 22:34:05 +01:00
Stéphane Graber
59c6b06611
Merge pull request #3581 from brauner/2020-11-16/fixes 
conf: improve mountinfo and config parsing
 2020-11-16 09:50:14 -05:00
Christian Brauner
a39fc34bd6
conf: switch to fd_to_fd() when copying mountinfo 
Closes: #3580.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=209971
Suggested-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-16 14:41:36 +01:00
Christian Brauner
26dffd8258
parse: rework config parsing routine 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-16 14:41:36 +01:00
Christian Brauner
c875dc6374
Merge pull request #3579 from lifeng68/master 
cgfsng: adjust log level to warn instead of error
 2020-11-13 16:03:48 +01:00
lifeng68
34375fd74c cgfsng: adjust log level to warn instead of error 
Signed-off-by: lifeng68 <lifeng68@huawei.com>
 2020-11-13 13:49:21 +08:00
Stéphane Graber
74294d76f9
Merge pull request #3577 from brauner/2020-11-05/bugfixes 
attach: silence stdio permission adjust warnings
 2020-11-05 18:08:25 -05:00
Christian Brauner
a2c26befc9
attach: silence stdio permission adjust warnings 
Closes: #3576.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-05 20:25:29 +01:00
Stéphane Graber
056b6a60bc
Merge pull request #3574 from Drachenfels-GmbH/seccomp-fixes 
Add missing free for monitor_pivot_dir.
 2020-11-05 12:50:18 -05:00
Ruben Jenster
eb60b5648b Add missing free for monitor_pivot_dir. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-11-05 11:03:18 +01:00
Stéphane Graber
9f39b9e2f4
Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking 
seccomp: fixes
 2020-11-02 12:58:43 -05:00
Christian Brauner
0d724ab4f4
seccomp: log aborted system calls 
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-02 16:48:52 +01:00
Christian Brauner
a60c98aaf6
seccomp: make seccomp notifier fd non-blocking 
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-11-02 16:48:52 +01:00
Stéphane Graber
7fde74f375
Merge pull request #3568 from brauner/2020-10-28/fixes 
coverity fixes
 2020-10-28 08:02:51 -04:00
Christian Brauner
65129087f4
attach: require that LXC_ATTACH_LSM_LABEL is specified 
to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:16:41 +01:00
Christian Brauner
0dde733e5a
utils: check snprintf return value 
Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:04:42 +01:00
Christian Brauner
8ddf34f7a0
conf: check snprint return value 
Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:03:31 +01:00
Christian Brauner
3715d0c03f
utils: don't deref after NULL check 
Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 04:01:19 +01:00
Christian Brauner
ec0befee94
commands: don't deref after NULL check 
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-28 03:58:54 +01:00
Christian Brauner
bf0b9c1ed6
Merge pull request #3567 from blenk92/lxc-attach-selinux 
lxc-attach: Enable setting the SELinux context
 2020-10-27 17:45:46 +01:00
Christian Brauner
a093bb0f5c
Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes 
cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
 2020-10-27 17:44:59 +01:00
Christian Brauner
5fd31e375f
Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes 
seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
 2020-10-27 17:44:38 +01:00
Christian Brauner
10397a8031
Merge pull request #3565 from Drachenfels-GmbH/test-fixes 
tests: Fix compilation with appamor enabled.
 2020-10-27 17:14:16 +01:00
Christian Brauner
dd8d550919
Merge pull request #3564 from Drachenfels-GmbH/fixes 
lxccontainer: fix lxc_config_item_is_supported
 2020-10-27 17:12:51 +01:00
Maximilian Blenk
8455e39efe lxc-attach: Enable setting the SELinux context 
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
 2020-10-27 17:03:20 +01:00
Ruben Jenster
beff993939 tests: Fix compilation with appamor enabled. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:48:34 +01:00
Ruben Jenster
6eb516a793 lxccontainer: fix lxc_config_item_is_supported 
Use exact match instead of longest prefix match
to check whether a config item is supported.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:47:55 +01:00
Ruben Jenster
7696c1f9d1 Introduce lxc.cgroup.dir.monitor.pivot 
On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 09:23:01 +01:00
Ruben Jenster
15044cd19c seccomp: Avoid duplicate processing of rules for host native arch. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 08:37:52 +01:00
Ruben Jenster
0ff0d23e40 seccomp: Fix handling of pseudo syscalls and improve logging for rule processing. 
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
 2020-10-27 08:35:00 +01:00
Stéphane Graber
c8fe11552a
Merge pull request #3561 from tenforward/japanese 
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
 2020-10-24 13:59:10 -04:00
KATOH Yasufumi
bf73687ae5 Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2 
Update for commit b87ed83bbc

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
 2020-10-25 01:35:35 +09:00
Stéphane Graber
c639f45ee5
Merge pull request #3559 from brauner/2020-10-20/fixes 
conf: account for early return when sending devpts fd
 2020-10-20 12:21:53 -04:00
Christian Brauner
185b9ee91b
conf: account for early return when sending devpts fd 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-20 17:41:06 +02:00
Stéphane Graber
f4da1c37e6
Merge pull request #3558 from brauner/2020-10-20/fixes 
conf: always send response to parent waiting for devptfs_fd
 2020-10-20 08:22:49 -04:00
Christian Brauner
68f3899e4a
conf: always send response to parent waiting for devptfs_fd 
When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-20 13:34:24 +02:00
Stéphane Graber
1593efb5d7
Merge pull request #3556 from brauner/2020-10-19/fixes 
startup fixes
 2020-10-19 08:29:16 -04:00
Christian Brauner
fbfe5c8208
start: improve devpts fd sending 
Closes: #3549.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-19 12:18:54 +02:00
Christian Brauner
5befd767a6
sync: log synchronization states 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2020-10-19 12:18:53 +02:00