There is no such thing as security support for unstable/sid.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This was originally used to propagate the bridge and veth names across
hosts, but now we extract both from the container's config file, and
nothing reads the files that dump_net_info() writes, so let's just get rid
of them.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Empty networks don't have anything (besides lo) for us to dump and restore,
so we should allow these as well.
Reported-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Somehow our `make tags` target generates TAGS and not tags, so let's ignore
that too.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
reuse label cleanup since free(NULL) is a no-op
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When setting lxc.network.veth.pair to get a fixed interface
name the recreation of it after a reboot caused an EEXIST.
-) The reboot flag is now a three-state value. It's set to
1 to request a reboot, and 2 during a reboot until after
lxc_spawn where it is reset to 0.
-) If the reboot is set (!= 0) within instantiate_veth and
a fixed name is used, the interface is now deleted before
being recreated.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
- This enables the user to destroy a container with all its snapshots without
having to use lxc-snapshot first to destroy all snapshots. (The enum values
DESTROY and SNAP from the previous commit are reused here again.)
- Some unification regarding the usage of exit() and return has been done.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Passing the LXC_CLONE_KEEPNAME flag to do_lxcapi_clone() was not respected. We
wrap clear_unexp_config_line() and set_config_item_line() in an appropriate
if-condition.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
- This commit adapts lxc-clone to be similiar in usage and feel to the other
lxc-* executables. It builds on the previous extension of the lxc_argument
struct and now uses the default lxc_arguments_parse() function.
- Options which were not used have been removed.
- The LXC_CLONE_KEEPNAME flag was not respected in the previous version of
lxc-clone. The culprit is a missing if-condition in lxccontainer.c. As this
requires a change in one of the API functions in lxccontainer.c it will be
addressed in a follow-up commit.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
- lxc_snapshot.c lacked necessary members in the associated lxc_arguments struct
in arguments.h. This commit extends the lxc_arguments struct to include
several parameters used by lxc-snapshot which allows a rewrite that is more
consistent with the rest of the lxc-* executables.
- All tests have been moved beyond the call to lxc_log_init() to allow for the
messages to be printed or saved.
- Some small changes to the my_args struct. (The enum task is set to
SNAP (for snapshot) per default and variables illustrating the usage of the
command line flags are written in all caps.)
- arguments.h has been extended to accommodate a rewrite of lxc-clone
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Binding a directory at a different location in a ephemeral container is
currently not possible. Using a regular container it however is possible.
Signed-off-by: Christiaan Baartse <anotherhero@gmail.com>
zypper info's output is not usable for several reasons:
* it is localized -- there is no "Version: " in my output
* it shows results both from the repo and local system
So use plain rpm to determine whether build is installed and if proper
version is in place.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
We need specify which hashing algorithm was used to create the signature
we check.
Fixes#609
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit adds an -R, --rename option to lxc-clone to rename a container. As
c->rename calls do_lxcapi_rename() which in turn calls do_lxcapi_clone() it
seemed best to implement it in lxc-clone rather than lxc-snapshot which also
calls do_lxcapi_clone(). Some additional unification regarding the usage of
return vs exit() in main() was done.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
lxc-ls takes -P lxcpath and --version as arguments but it did not specify these
options on the manpages.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
1) Two checks on amd64 for whether compat_ctx has already
been generated were redundant, as compat_ctx is generally
generated before entering the parsing loop.
2) With introduction of reject_force_umount the check for
whether the syscall has the same id on both native and
compat archs results in false behavior as this is an
internal keyword and thus produces a -1 on
seccomp_syscall_resolve_name_arch().
The result was that it was added to the native architecture
twice and never to the 32 bit architecture, causing it to
have no effect on 32 bit containers on 64 bit hosts.
3) I do not see a reason to care about whether the syscalls
have the same number on the two architectures. On the one
hand this check was there to avoid adding it to two archs
(and effectively leaving one arch unprotected), while on
the other hand it seemed to be okay to add it to the
same arch *twice*.
The entire architecture checking branches are now reduced to
three simple cases: 'native', 'non-native' and 'all'. With
'all' adding to both architectures regardless of the syscall
ID.
Also note that libseccomp had a bug in its architecture
checking, so architecture related filters weren't working as
expected before version 2.2.2, which may have contributed to
the confusion in the original architecture-related code.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.
Reported-by: Roman Fiedler
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
