We want to close all inherited fds in three cases - one, if a container
is daemonized. Two, if the user specifies -C on the lxc-start command
line. Three, in src/lxc/monitor.c. The presence of -C is passed in the
lxc_conf may not always exist.
One call to lxc_check_inherited was being done from lxc_start(), which
doesn't know whether we are daemonized. Move that call to its caller,
lxcapi_start(), which does know.
Pass an explicit closeall boolean as second argument to lxc_check_inherited.
If it is true, then all fds are closed. If it is false, then we check
the lxc_conf->close_all_fds.
With this, all tests pass, and the logic appears correct.
Note that when -C is not true, then we only warn about inherited fds,
but we do not abort the container start. This appears to have ben the case
since commit 92c7f62955 in 2011. Unfortunately the referenced URL with
the justification is no longer valid. We may want to consider becoming
stricter about this again. (Note that the commit did say "for now")
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
We fixed this some time ago for basic lxc-start, but never did
lxc-start-ephemeral.
Since the lxc-start patches were pushed, Miklos has given us a
way to detect whether we need the workdir= option. So the
bdev.c code could be simplified to check for "overlay\n" in
/proc/filesystems just as lxc-start-ephemeral does. This
patch doesn't do that.
Changelog (v2):
1. use 'overlay' fstype for new overlay upstream module
2. avoid using unneeded readlines().
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Container fail to start with configs (as shown below) where the same
vlan id is used for several type=vlan container interfaces.
Then, during the instantiation of the vlan interfaces, an error occurs
because the lxc code tries to assign the same temporary name to both
of them before it is bound into the container.
> lxc.network.type = vlan
> lxc.network.flags = up
> lxc.network.link = eth1
> lxc.network.vlan.id = 3842
> lxc.network.name = iso0
>
> lxc.network.type = vlan
> lxc.network.flags = up
> lxc.network.link = eth2
> lxc.network.vlan.id = 3842
> lxc.network.name = iso1
Signed-off-by: Axel Neumann <neumann@cgws.de>
This isn't the perfect fix. In fact close_all_fds shouldn't be stored
in the lxc_conf. But this will fix the tests short-term.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Riya Khanna reported that with a ramfs rootfs the mount to make
/ rprivate was returning -EFAULT. NULL was being passed as the
mount target. Pass "/" instead.
Reported-by: riya khanna <riyakhanna1983@gmail.com>>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When containers request to be daemonized, close-all-fd is
set to true. But when we switched ot daemonize-by-default we didn't
set close-all-fd by default.
Fix that. In order to do that we have to always have a lxc_conf
object. As a consequence, after this patch we can drop a bunch
of checks for c->lxc_conf existing. We should consider removing
those. This patch does not do that.
This should close https://github.com/lxc/lxc/issues/354
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.
Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Alpine Linux provides yaml files with latest release instead of the old
approach with .latest.txt.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fedora-release has been split into fedora-release and fedora-repos.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is to prevent systemd-journald to enter a 100% cpu loop.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In contrast to what the comment above the line disabling it said,
it seems to work just fine. It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem. This patch adds a seccomp rule to
block umount -f from a container. It also adds that rule
to the default seccomp profile.
Thanks stgraber for the idea :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
There are now two (permitted) ways to add data to netlink message:
1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
original netlink message, then write or memcpy data to that area.
Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.
And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous error message made it look like the host interface name was
the concatenation of both the host and guest interface names.
Closes#374
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 55ae7edb18.
This change caused hangs in the testsuite, specifically with lxc-user-nic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Ran into this when trying to automate stgraber's "GUI in containers"
post.
Signed-off-by: Casey Marshall <casey.marshall@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a copy of patch version 3 for issue #278 on the issue-tracker:
- Allow multiple bind-mounts (--bdir) and multiple cow-mounts (--cdir).
- Further fixes to permissions throughout lxc-start-ephemeral (annotated
in the code).
Signed-off by: Oleg Freedholm <overlayfs@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
