For generated profiles with apparmor namespaces we get
profile names with slashes in them. To match those, we need
to allow changing to lxc-**, not just lxc-*.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
openSUSE Leap 15 is using --libdir=/usr/lib64 when building for
x86_64 so we need to allow this path in the apparmor profiles.
Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1099239
Signed-off-by: Markos Chandras <mchandras@suse.de>
Unprivileged containers can safely mount /sys as read-write. This also allows
systemd-udevd to be started in unprivileged containers.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
- remove legacy binaries
- conditionalize creation of docs and tests for the command line tools and the
shared library helper commands
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Excerpt from dnsmasq(8):
By default, the DHCP server will attempt to ensure that an address in not
in use before allocating it to a host. It does this by sending an ICMP echo
request (aka "ping") to the address in question. If it gets a reply, then the
address must already be in use, and another is tried. This flag disables this check.
This is useful if one expects all the containers to get an IP address
from the LXC authoritative DHCP server and wants to speed up the process
of getting a lease.
Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>
This patch allows users to start containers in AppArmor namespaces.
Users can define their own profiles for their containers, but
lxc-start must be allowed to change to a namespace.
A container configuration file can wrap a container in an AppArmor
profile using lxc.aa_profile.
A process in an AppArmor namespace is restricted to view
or manage only the profiles belonging to this namespace, as if no
other profiles existed. A namespace can be created as follow:
sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/$NAMESPACE
AppArmor can stack profiles so that the contained process is bound
by the intersection of all profiles of the stack. This is achieved
using the '//&' operator as follow:
lxc.aa_profile = $PROFILE//&:$NAMESPACE://unconfined
In this case, even the guest process appears unconfined in the
namespace, it is still confined by $PROFILE.
A guest allowed to access "/sys/kernel/security/apparmor/** rwklix,"
will be able to manage its own profile set, while still being
enclosed in the topmost profile $PROFILE:
Different guests can be assigned the same namespace or different
namespaces. In the first case, they will share their profiles.
In the second case, they will have distinct sets of profiles.
This is validated on privileged containers.
Signed-off-by: Frédéric Dalleau <frederic.dalleau@collabora.com>
* rename lxc.haltsignal to lxc.signal.halt
* rename lxc.rebootsignal to lxc.signal.reboot
* rename lxc.stopsignal to lxc.signal.stop
the legacy keys will be kept around until LXC 3.0 and then will be
removed.
Signed-off-by: 0x0916 <w@laoqinren.net>
This patch wipe all references to lxc.network{[i]}.*
and replace with lxc.net.{[i]}.* in templates, documentation
and configuration files.
Signed-off-by: 0x0916 <w@laoqinren.net>
Ever since 8eb62c2, systemd has not been able to cleanly stop lxc
containers (via lxc@) because it's still using SIGPWR for systemd-based
containers.
We should now use the nice logic in 330ae3d to stop the containers
instead.
Signed-off-by: JD Friedrikson <yours@decompo.site>
The code in conf will bind-mount a /dev/pts/<n> device over a dummy regular
/dev/console file. If users really want /dev/console bind-mount from the host
they can request it explicitly in the containers config file. This change will
have no effect on current LX{C,D} behavior since we (as said above) overmount
the /dev/console bind-mount anyway.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:
# service lxc-net status
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
Main PID: 529 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/lxc-net.service
Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.
Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.
Signed-off-by: Carsten Brandt <mail@cebe.cc>
otherwise init might try to start the containers before cgroupfs was
mounted.
Debian-Bug: https://bugs.debian.org/850212
Signed-off-by: Evgeni Golov <evgeni@debian.org>
