Since we can call that function from another mount namespace we need to
do this manually.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
bpf_devices_cgroup_supported() tries to load a simple BPF program to
test if BPF works. This is problematic because the function used to load
the program - bpf_program_load_kernel() - emits an error to the log if
BPF is not enabled in the kernel although device controller is not
requested in the configuration. Users could interpret that as a problem.
Make bpf_devices_cgroup_supported() check if the BPF syscall is available
before calling bpf_program_load_kernel(). We can do it by passing a NULL
pointer instead of the syscall argument as the kernel returns either
ENOSYS, when the syscall is not implemented or EFAULT, when it is
implemented.
Signed-off-by: Petr Malat <oss@malat.biz>
If a device file is opened and there isn't the underlying device,
the open call fails with ENXIO, but the path can be opened with
O_PATH, which is enough for mounting over the device file.
Generalize this idea and use O_PATH for all cases when the file
is there. One still must check for both ENXIO and EEXIST as it's
unspecified what error is reported if multiple error conditions
occur at the same time.
Signed-off-by: Petr Malat <oss@malat.biz>
With the changes introduced in:
b7b1e3a34c
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy (->cg_legacy_set_data->lxc_write_openat)
to actually access the cgroup directory.
The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.
This affects all privileged containers on PVE (due to the default
devices.deny entry).
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This is not a fatal error and the fallback codepath is equally safe.
When we use TIOCGPTPEER we're using a stashed fd to the container's
devpts mount's ptmx device and allocating a new fd non-path based
through this ioctl. If this ioctl can't be used we're falling back to
allocating a pts device from the host's devpts mount's ptmx device which
is path-based but is not under control of the container and so that's
safe. The difference is just that the first method gets you a nice
native terminal with all the pleasantries of having tty and friends
working whereas the latter method does not.
Fixes: #3625
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Use as much as possible from each command `--help` for completion.
Some options require a long list of completions that should be dumped by
some command option. These are not added here yet.
Examples of those are: `lxc-info --config`, `lxc-execute --define` and
`lxc-start --define`.
Signed-off-by: Edenis Freindorfer Azevedo <edenisfa@gmail.com>
By default, there is no out-of-the-box bash completion for lxc tools.
This is due to dynamic loading of completions, that requires the
completion filename to be the same as the command (e.g. `lxc-start`
expects a completion filename `lxc-start`). But all commands are in file
`lxc`, which is not read.
Signed-off-by: Edenis Freindorfer Azevedo <edenisfa@gmail.com>
If an include directive ends with a trailing slash, we now
always assume it is a directory and do not treat the
non-existence as an error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
