This patch allows users to start containers in AppArmor namespaces.
Users can define their own profiles for their containers, but
lxc-start must be allowed to change to a namespace.
A container configuration file can wrap a container in an AppArmor
profile using lxc.aa_profile.
A process in an AppArmor namespace is restricted to view
or manage only the profiles belonging to this namespace, as if no
other profiles existed. A namespace can be created as follow:
sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/$NAMESPACE
AppArmor can stack profiles so that the contained process is bound
by the intersection of all profiles of the stack. This is achieved
using the '//&' operator as follow:
lxc.aa_profile = $PROFILE//&:$NAMESPACE://unconfined
In this case, even the guest process appears unconfined in the
namespace, it is still confined by $PROFILE.
A guest allowed to access "/sys/kernel/security/apparmor/** rwklix,"
will be able to manage its own profile set, while still being
enclosed in the topmost profile $PROFILE:
Different guests can be assigned the same namespace or different
namespaces. In the first case, they will share their profiles.
In the second case, they will have distinct sets of profiles.
This is validated on privileged containers.
Signed-off-by: Frédéric Dalleau <frederic.dalleau@collabora.com>
This patch mainly update the message format to:
* upper the first letter
* end without a dot
all changes are relate to `lxc-init`
Signed-off-by: Long Wang <w@laoqinren.net>
use cppcheck tools `cppcheck --enable=warning .` on lxc source directory.
This patch fix the following warnning
```
[src/lxc/cgroups/cgfs.c:794]: (warning) %ld in format string (no. 3) requires 'long' but the argument type is 'unsigned long'.
[src/lxc/confile.c:4441]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile.c:4502]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile_legacy.c:921]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile_legacy.c:938]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/lxclock.c:63]: (warning) %zd in format string (no. 1) requires 'ssize_t' but the argument type is 'size_t {aka unsigned long}'.
[src/lxc/tools/lxc_info.c:118]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:118]: (warning) %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:123]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:127]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:130]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:212]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:212]: (warning) %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:217]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:221]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:224]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
```
Signed-off-by: Long Wang <w@laoqinren.net>
Added [-a|--apt-conf] parameter for selection of exact package
providing 'apt-conf'. By default 'apt-conf-sisyphus' is used for
Sisyphus and 'apt-conf-branch' for the rest of branches.
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
This pr https://github.com/lxc/lxc/pull/1618 kill lxc-monitord, for backwards compatibility,
we also send state to legacy lxc-monitord state server in function `lxc_set_state`.
we should also send state if there is no state clients registered, otherwise `lxc-monitor` client will
not get state change event if container changed state to `STARTING` or `RUNNING`.
Signed-off-by: 0x0916 <w@laoqinren.net>
lxc-monitor has an option to tell lxc-monitord to quit.
```
~/lxc (master) # lxc-monitor --help
lxc-monitor monitors the state of the NAME container
Options :
-n, --name=NAME NAME of the container
NAME may be a regular expression
-Q, --quit tell lxc-monitord to quit
```
But it does not work. This patch fix that.
Signed-off-by: 0x0916 <w@laoqinren.net>
* rename lxc.haltsignal to lxc.signal.halt
* rename lxc.rebootsignal to lxc.signal.reboot
* rename lxc.stopsignal to lxc.signal.stop
the legacy keys will be kept around until LXC 3.0 and then will be
removed.
Signed-off-by: 0x0916 <w@laoqinren.net>
* rename lxc.logfile to lxc.log.file
* renaem lxc.loglevel to lxc.log.level
* rename lxc.syslog to lxc.log.syslog
the legacy keys will be kept around until LXC 3.0 and then will be
removed.
Signed-off-by: 0x0916 <w@laoqinren.net>
* rename lxc.init_cmd to lxc.init.cmd
* rename lxc.init_uid to lxc.init.uid
* rename lxc.init_gid to lxc.init.gid
the legacy keys will be kept around until LXC 3.0 and then will be
removed.
Signed-off-by: 0x0916 <w@laoqinren.net>
`lxc_clear_nic` can not clear the nic, because it will not found
the right `netdev`.
testcase from get_item.c
```
313 if (!c->set_config_item(c, "lxc.network.hwaddr", "00:16:3e:xx:xx:xx")) {
314 fprintf(stderr, "%d: failed to set network.hwaddr\n", __LINE__);
315 goto out;
316 }
317 if (!c->set_config_item(c, "lxc.network.ipv4", "10.2.3.4")) {
318 fprintf(stderr, "%d: failed to set ipv4\n", __LINE__);
319 goto out;
320 }
321
322 ret = c->get_config_item(c, "lxc.network.0.ipv4", v2, 255);
323 if (ret <= 0) {
324 fprintf(stderr, "%d: lxc.network.0.ipv4 returned %d\n", __LINE__, ret);
325 goto out;
326 }
327 if (!c->clear_config_item(c, "lxc.network.0.ipv4")) {
328 fprintf(stderr, "%d: failed clearing all ipv4 entries\n", __LINE__);
329 goto out;
330 }
331 ret = c->get_config_item(c, "lxc.network.0.ipv4", v2, 255);
332 if (ret != 0) {
333 fprintf(stderr, "%d: after clearing ipv4 entries get_item(lxc.network.0.ipv4 returned %d\n", __LINE__, ret);
334 goto out;
335 }
```
line `327` will failed to clear nic, and line `333` give the error.
Signed-off-by: 0x0916 <w@laoqinren.net>
`lxc_config_net_hwaddr` return true if the config entry
is `lxc.network.hwaddr` or `lxc.net.[i].hwaddr`, `lxc.network.[i].hwaddr`
Signed-off-by: 0x0916 <w@laoqinren.net>
This patch wipe all references to lxc.network{[i]}.*
and replace with lxc.net.{[i]}.* in templates, documentation
and configuration files.
Signed-off-by: 0x0916 <w@laoqinren.net>
