KATOH Yasufumi
d0b2a43477
doc: Add the description of lxc.hook.stop to Japanese lxc.container.conf(5)
...
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-10-29 17:45:49 -04:00
Sungbae Yoo
06ce392132
doc: Add lxc.ephemeral in Korean lxc.container.conf(5)
...
Update for commit 4e6eb26
2015-10-29 17:45:47 -04:00
Sungbae Yoo
73740a136b
doc: Add the note related mount in Korean lxc.container.conf(5)
...
Update for commit 592fd47
2015-10-07 16:39:46 +01:00
Sungbae Yoo
5901bc7919
doc: Add the common and '-s' option in Korean lxc-destroy(1)
...
Update for commit 3635c5e
2015-10-07 16:39:44 +01:00
KATOH Yasufumi
7346eb3aab
doc: Add lxc.ephemeral in Japanese lxc.container.conf(5)
...
Update for commit 4e6eb26
2015-10-07 16:39:42 +01:00
Wolfgang Bumiller
0a2b5ab1e7
document the stop hook
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-10-07 16:38:12 +01:00
KATOH Yasufumi
2c79e91b4b
doc: Add the note related mount in Japanese lxc.container.conf(5)
...
Update for commit 592fd47
2015-10-05 11:49:25 +01:00
Christian Brauner
4e6eb26bf0
Add lxc.ephemeral to lxc.container.conf manpage
...
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-10-05 11:47:16 +01:00
Serge Hallyn
592fd47a62
CVE-2015-1335: Protect container mounts against symlinks
...
When a container starts up, lxc sets up the container's inital fstree
by doing a bunch of mounting, guided by the container configuration
file. The container config is owned by the admin or user on the host,
so we do not try to guard against bad entries. However, since the
mount target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.
To prevent this,
1. do not allow mounts to paths containing symbolic links
2. do not allow bind mounts from relative paths containing symbolic
links.
Details:
Define safe_mount which ensures that the container has not inserted any
symbolic links into any mount targets for mounts to be done during
container setup.
The host's mount path may contain symbolic links. As it is under the
control of the administrator, that's ok. So safe_mount begins the check
for symbolic links after the rootfs->mount, by opening that directory.
It opens each directory along the path using openat() relative to the
parent directory using O_NOFOLLOW. When the target is reached, it
mounts onto /proc/self/fd/<targetfd>.
Use safe_mount() in mount_entry(), when mounting container proc,
and when needed. In particular, safe_mount() need not be used in
any case where:
1. the mount is done in the container's namespace
2. the mount is for the container's rootfs
3. the mount is relative to a tmpfs or proc/sysfs which we have
just safe_mount()ed ourselves
Since we were using proc/net as a temporary placeholder for /proc/sys/net
during container startup, and proc/net is a symbolic link, use proc/tty
instead.
Update the lxc.container.conf manpage with details about the new
restrictions.
Finally, add a testcase to test some symbolic link possibilities.
Reported-by: Roman Fiedler
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-09-29 09:52:55 -04:00
Sungbae Yoo
76072aec5c
doc: Update Korean lxc-snapshot(1) for newname option
...
Update for commit dedd4f6
2015-09-21 11:32:07 -04:00
Sungbae Yoo
5033e12328
doc: Add lxc.init_(uid|gid) in Korean lxc.container.conf(5)
...
update for commit dbca923
2015-09-21 11:31:43 -04:00
Sungbae Yoo
3703aa9e73
doc: Update Korean lxc.cgroup.use in lxc.system.conf(5)
...
Update for commit 2d8632d
2015-09-21 11:31:22 -04:00
Sungbae Yoo
0a05624e82
doc: Add the rename option to lxc-clone(1) in Korean manual
...
Update for commit 585f3c6
2015-09-21 11:30:45 -04:00
Sungbae Yoo
b7349f15f7
doc: Add LXC-specific mount option in Korean lxc.container.conf(5)
...
Update for commit f5b67b3
2015-09-21 11:30:14 -04:00
KATOH Yasufumi
7c3d395052
doc: Update Japanese lxc-snapshot(1) for newname option
...
Update for commit dedd4f6
2015-09-21 11:29:49 -04:00
KATOH Yasufumi
7ee64c0f21
doc: Add lxc.init_(uid|gid) in Japanese lxc.container.conf(5)
...
update for commit dbca923
2015-09-21 11:29:25 -04:00
KATOH Yasufumi
3635c5eee8
doc: Add the common and '-s' option in lxc-destroy(1)
...
* Add the description of '-s' option
* Remove '-P' option, and add common options
* Improve Japanese translation
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-09-21 11:28:49 -04:00
KATOH Yasufumi
b332333b43
doc: Add LXC-specific mount option in Japanese lxc.container.conf(5)
...
Add the description of optional, create=file/dir for lxc.mount.entry.
This is update for commit f5b67b3
2015-09-21 11:27:06 -04:00
Christian Brauner
dedd4f6771
Adapt manpage for lxc-snapshot
...
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
2015-08-28 18:57:49 +02:00
Stéphane Graber
c804bedf8b
Merge pull request #585 from ptoomey3/lxc-execute-as-user
...
Add support for specified UID/GID for lxc-execute in a private user namespace
2015-08-28 11:23:13 -04:00
Patrick Toomey
dbca9237db
Update english docs for new lxc.init_uid and lxc.init_gid options
...
Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>
2015-08-28 08:25:23 -06:00
Stéphane Graber
0ab45a162e
Merge pull request #617 from alkino/master
...
A little bit of refactor and doc
2015-08-27 16:58:06 -04:00
Stéphane Graber
d4b36defec
Merge pull request #631 from alkino/doc
...
Add long option for -P in documentation
2015-08-27 16:34:00 -04:00
KATOH Yasufumi
2d8632d5b7
doc: Update lxc.cgroup.use in lxc.system.conf(5)
...
LXC now uses lxc.cgroup.use even when cgmanager is used.
So remove the description for the case of using cgmanager.
And add the case of not specifying it.
This commit only updates en and ja man pages.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-08-27 16:10:36 -04:00
Nicolas Cornu
f5b67b36e2
Add doc for optional, create=dir and create=file in lxc.container.conf man
...
Signed-off-by: Nicolas Cornu <ncornu@aldebaran.com>
2015-08-14 17:59:09 +02:00
Nicolas Cornu
3519a99c82
Add long option for -P in documentation
...
Signed-off-by: Nicolas Cornu <ncornu@aldebaran.com>
2015-08-14 17:57:53 +02:00
KATOH Yasufumi
585f3c6b69
doc: Add the rename option to lxc-clone(1)
...
Update Japanese and English man pages.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-08-13 16:30:41 -04:00
Sungbae Yoo
2aeb28ec17
doc: Add the description for --version to Korean common_options
...
Update for commit 7cab33b
2015-08-04 18:16:14 +09:00
Sungbae Yoo
347597fa53
doc: Add the description for -P and --version to Korean lxc-ls(1)
...
Update for commit 2cf7c05
2015-08-04 18:15:18 +09:00
Sungbae Yoo
996d777025
doc: Update Korean lxc-usernet(5) for supporting usergroups
...
Update for commit 1940bff
2015-08-04 09:26:41 +09:00
KATOH Yasufumi
7b4a6f9779
doc: Remove unnecessary common options from lxc-user-nic(1)
...
lxc-user-nic command cannot use common options.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
2015-08-03 16:42:38 +09:00
KATOH Yasufumi
7cab33b107
doc: Add the description for --version to English and Japanese common_options
...
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
2015-08-03 16:40:13 +09:00
KATOH Yasufumi
2cf7c05abe
doc: Add the description for -P and --version to English and Japanese lxc-ls(1)
...
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
2015-08-03 16:28:33 +09:00
Christian Brauner
a4cd509bd8
Add -P lxcpath and --version to lxc-ls manpage
...
lxc-ls takes -P lxcpath and --version as arguments but it did not specify these
options on the manpages.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
2015-08-01 17:05:56 +02:00
KATOH Yasufumi
b0c8058323
doc: Update Japanese lxc-usernet(5) for supporting usergroups
...
Update for commit 1940bff
2015-06-30 15:17:30 -04:00
Stéphane Graber
82e4093384
Merge pull request #561 from ysbnim/kor_manual
...
Add Korean man pages
2015-06-30 15:00:53 -04:00
Serge Hallyn
2c7a50081b
Merge pull request #517 from hkjolhede/master
...
Added support for groups in lxc-usernet
2015-06-23 16:10:26 -05:00
Sungbae Yoo
51fded061a
doc: Translate untranslated section titles in Japanese man pages
...
Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
2015-06-12 10:29:58 +09:00
Sungbae Yoo
2b371b262f
doc: Add Korean man pages
...
Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
2015-06-11 20:08:58 +09:00
Henrik Kjölhede
21002b3950
Fixed memory checks and faulty loop in get_alloted according to comments
...
Signed-off-by: Henrik Kjölhede <hkjolhede@gmail.com>
2015-06-09 22:25:16 +02:00
Henrik Kjölhede
1940bff4d2
Updated the documentation
...
Signed-off-by: Henrik Kjölhede <hkjolhede@gmail.com>
2015-06-04 22:22:54 +02:00
KATOH Yasufumi
de0dc53307
doc: Add the description of lxc.hook.destroy in Japanese lxc.container.conf(5)
...
Update for commit 37cf711
2015-06-02 19:05:20 -04:00
KATOH Yasufumi
5a56eeb64d
doc: Add the description of macvlan passthru mode in Japanese lxc.container.conf(5)
...
Update for commit c15ea60
2015-05-26 13:04:26 -04:00
KATOH Yasufumi
3ae656b54b
doc: Update the description of -L option in lxc-autostart(1)
...
Add the description about displaying the value of wait delays for -L
option
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-05-26 13:01:46 -04:00
KATOH Yasufumi
4db216f75b
doc: Fix the mistranslation about lxc.group in Japanese lxc.container.conf(5)
...
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-05-26 13:01:43 -04:00
Stéphane Graber
1e2eb3f4e6
Merge pull request #536 from regit/passthru-v1.2
...
Passthru v1.2
2015-05-25 11:51:07 -04:00
Eric Leblond
c15ea60706
doc: add 'macvlan' 'passthru' mode
...
This patch also reword the macvlan section which was hard to read.
Signed-off-by: Eric Leblond <eric@regit.org>
2015-05-25 17:42:40 +02:00
Sungbae Yoo
37cf711b28
config : add lxc.hook.destroy option
...
Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
2015-05-14 09:00:35 +09:00
KATOH Yasufumi
56e4a18564
Add the use of 'attach' to lxc-start-ephemeral(1)
...
Update for commit 8158c05
2015-04-06 12:12:10 -04:00
KATOH Yasufumi
8128cf4210
doc: Add '--storage-type' option to lxc-start-ephemeral(1)
...
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 12:12:10 -04:00
