As there is a function named attach_interface to pass
a interface to container now, we do not need to relay on
python impolementation for lxc-device any more.
changelog: 10/15/2014: serge: fail immediately if run as non-root.
changelog: 10/15/2014: serge: add explicit error message on bad usage (fix build failure)
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Changelog: 10/15/2014: serge: make ifname mandatory for detach_interface.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Currently, we depends on ip command to attach interface to container.
It means we only implemented it by python.
This patch implement adding and removing interface by c and added
them in struct container.
Changelog: 10/15/2014 (serge): return error if ifname is NULL.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Function of enter_to_ns() is useful but currently is static for
lxccontainer.c.
This patch split it into two parts named as switch_to_newuser()
and switch_to_newnet() into utils.c.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When we need to know some info about a netdev, such as is_up or not,
we need to read the flag for the netdev.
This patch introduce a interface function named lxc_netdev_isup()
to check is a netdev up or down.
And introduce a network private function named netdev_get_flag()
to get flag for netdev by netlink.
Changelog: 10/15/2015: Return failure if name==NULL to avoid later strlen fun
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In netlink, we can set the dest_name of netdev when move netdev
between namespaces in one netlink request. And moving a netdev of
a src_name to a netdev with a dest_name is a common usecase.
So this patch add a parametaer to lxc_network_move_by_index() to
indicate the dest_name for the movement. NULL means same with
the src_name.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We should exit with a error when starting a running container.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
When we want to get index of a ifname which does not
exist, we should return a -EINVAL in this case.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We should not modify ifname in lxc_netdev_move_by_name(),
making it as const in param list will make our code more
robust.
Signed-off-by: Dongsheng Yang <yangds.fnst@cn.fujitsu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
the way config_mount was structured, sending 'lxc.mount.auto = '
ended up actually clearing all lxc.mount.entrys. Fix that by
moving the check for an empty value to after the subkey checks.
Then, actually do the clearing of auto_mounts in config_mount_auto.
The 'strlen(subkey)' check being removed was bogus - the subkey
either known to be 'lxc.mount.entry', else subkey would have been
NULL (and forced a return in the block above).
This would have been clearer if the config_mount() and helper
fns were structured like the rest of confile.c. It's tempting
to switch it over, but there are subtleties in there so it's
not something to do without a lot of thought and testing.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
- RHEL/OL 7 doesn't have the ifconfig command by default so have the
lxc-net script check for its existence before use, and fall back
to using the ip command if ifconfig is not available
- When lxc-net is run from systemd on a system with selinux enabled,
the mkdir -p ${varrun} will create /run/lxc as init_var_run_t which
dnsmasq can't write its pid into, so we restorecon it
after creation (to var_run_t)
- The lxc-net systemd .service file needs an [Install] section so that
"systemctl enable lxc-net" will work
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
If we don't close these running lxc-checkpoint via:
ssh host "sudo lxc-checkpoint ..."
just hangs. We leave stderr open so that subesquent errors will print correctly
(and also because for whatever reason it doesn't break ssh :).
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Previously, we let criu create the cgroups for a container as it was restoring
things. In some cases (i.e. migration across hosts), if the container being
migrated was in /lxc/u1-3, it would be migrated to the target host in
/lxc/u1-3, even if there was no /lxc/u1-2 (or worse, if there was already an
alive container in u1-3).
Instead, we use lxc's cgroup_create, and then tell criu where to restore to.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
On Tue, Oct 07, 2014 at 07:33:07PM +0000, Tycho Andersen wrote:
> This commit is in preparation for the cgroups create work, since we will need
> the handler in both the parent and the child. This commit also re-works how
> errors are propagated to be less verbose.
Here is an updated version:
From 941623498a49551411ccf185146061f3f37d3a67 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho.andersen@canonical.com>
Date: Tue, 7 Oct 2014 19:13:51 +0000
Subject: [PATCH 1/2] restore: Hoist handler to function level
This commit is in preparation for the cgroups create work, since we will need
the handler in both the parent and the child. This commit also re-works how
errors are propagated to be less verbose.
v2: rename error to has_error, handle it correctly, and remove some diff noise
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is in preparation for the cgroups creation work, but also probably just a
good idea in general. The ERROR message is handy since we print line nos. it
will to give people an indication of what arg was null.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
pivot_root can't be called if / is on a ramfs. Currently chroot is
called before pivot_root. In this case the standard well-known
'chroot escape' technique allows to escape a container.
I think the best way to handle this situation is to make following actions:
* clean all mounts, which should not be visible in CT
* move CT's rootfs into /
* make chroot into /
I don't have a host, where / is on a ramfs, so I can't test this patch.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
These all fix various ways that cgroup actions could fail if an
unprivileged user's cgroup paths were not all the same for all
controllers.
1. in cgm_{g,s}et, use the right controller, not the first in the list,
to get the cgroup path.
2. when we pass 'all' to cgmanager for a ${METHOD}_abs, make sure that all
cgroup paths are the same. That isn't necessary for methods not
taking an absolute path, so split up the former
cgm_supports_multiple_controllers() function into two booleans, one
telling whether cgm supports it, and another telling us whether
cgm supports it AND all controller cgroup paths are the same.
3. separately, do_cgm_enter with abs=true couldn't work if all
cgroup paths were not the same. So just ditch that helper and
call lxc_cgmanager_enter() where needed, because the special
cases would be more complicated.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Interfaces listed by `ip link list` are prefixed with the index
identifier. The pattern "^$BRNAME" does not match.
- dependencies to ifconfig and ip removed
- wait until interface flagged with IFF_UP
Ref: https://github.com/torvalds/linux/blob/master/include/uapi/linux/if.h
Signed-off-by: Joshua Brunner <j.brunner@nexbyte.com>
Restrict signal and ptrace for processes running under the container
profile. Rules based on AppArmor base abstraction. Add unix rules for
processes running under the container profile.
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- move action() from common to sysvinit wrapper since its only really
applicable for sysvinit and not the other init systems
- fix bug in action() fallback, need to shift away msg before executing action
- make lxc-net 98 so it starts before lxc-container (99), otherwise the lxcbr0
won't be available when containers are autostarted
- make the default RUNTIME_PATH be /var/run instead of /run. On older
distros (like ol6.5) /run doesn't exist. lxc-net will create this directory
and attempt to create the dnsmasq.pid file in it, but this will fail when
SELinux is enabled because the directory will have the default_t type.
Newer systems have /var/run symlinked to /run so you get to the same place
in that case.
- add %postun to remove lxc-dnsmasq user when pkgs are removed
- fix bug in lxc-oracle template that was creating /var/lock/subsys/lxc as
a dir and interfering with the init scripts
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is based on the work of:
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
A generic changelog would be:
- Bring support for lxcbr0 to all distributions
- Share the container startup and network configuration logic across
distributions and init systems.
- Have all the init scripts call the helper script.
- Support for the various different distro-specific configuration
locations to configure lxc-net and container startup.
Changes on top of Mike's original version:
- Remove sysconfig/lxc-net as it's apparently only there as a
workaround for an RPM limitation and is breaking Debian systems by
including a useless file which will get registered as a package provided
conffile in the dpkg database and will therefore cause conffile prompts
on upgrades...
- Go with a consistant coding style in the various init scripts.
- Split out the common logic from the sysvinit scripts and ship both in
their respective location rather than have them be copies.
- Fix the upstart jobs so they actually work (there's no such thing as
libexec on Debian systems).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
With cgmanager, the cgroups are polled on demand, so these steps aren't needed.
However, with cgfs, lxc doesn't know about the cgroups for a container and so
it can't report any of the statistics about e.g. how much memory or CPU a
container is using.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The ->checkpoint() API call didn't exit correctly if criu was killed by a
signal instead of exiting, so lxc-checkpoint didn't fail correctly as a result.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
- keep but rename the lua version as an example of how to use the lua API
- got rid of the fairly useless --max argument
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
To cover all the cases we have around, we need to:
- Attempt to use cgm if present (preferred)
- Attempt to use cgmanager directly over dbus otherwise
- Fallback to cgroupfs
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Otherwise the check will return false if securityfs was not mounted
by the container's configuration. In the past we let that quietly
proceed, but unconfined. Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
(Dwight, I took the liberty of adding your Ack but the code did
change a bit to continue passing the char *label from attach.
Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1"
does attach you to the p2 profile)
Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only accidents, not
malice.
The mount restrictions are not available in the upstream kernel.
We can detect their presence through /sys. In the past, when
we detected it missing, we would not enable apparmor. But that
prevents apparmor from helping to prevent accidents.
At the same time, if the user accidentaly boots a kernel which
has regressed, we do not want them starting the container thinking
they are more protected than they are.
This patch:
1. adds a lxc.aa_allow_incomplete = 1 container config flag. If
not set, then any container which is not set to run unconfined
will refuse to run. If set, then the container will run with
apparmor protection.
2. to pass this flag to the apparmor driver, we pass the container
configuration (lxc_conf) to the lsm_label_set hook.
3. add a testcase. To test the case were a kernel does not
provide mount restrictions, we mount an empty directory over
the /sys/kernel/security/apparmor/features/mount directory. In
order to have that not be unmounted in a new namespace, we must
test using unprivileged containers (who cannot remove bind mounts
which hide existing mount contents).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This idea came from Andy Lutomirski. Instead of using a
temporary directory for the pivot_root put-old, use "." both
for new-root and old-root. Then fchdir into the old root
temporarily in order to unmount the old-root, and finally
chdir back into our '/'.
Drop lxc.pivotdir from the lxc.container.conf manpage.
Warn when we see a lxc.pivotdir entry (but keep it in the
lxc.conf for now).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
quiet mode was overriden by the double call of lxc_log_init
see lxc_container_new
use lxc_log_options_no_override in order to fix this
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: William Dauchy <william@gandi.net>
