lxc-user-nic now returns the names of the interfaces and
unpriv_assign_nic function parses that information to fill
missing netdev->veth_attr.pair and netdev->name.
With this patch get_running_config_item started to provide
correct information;
>>> import lxc; c = lxc.Container("rubik"); c.get_running_config_item("lxc.network.0.name"); c.get_running_config_item("lxc.network.0.veth.pair");
'eth0'
'veth9MT2L4'
>>>
and lxc-info started to show network stats;
lxc-info -n rubik
Name: rubik
State: RUNNING
PID: 23061
IP: 10.0.3.233
CPU use: 3.86 seconds
BlkIO use: 88.00 KiB
Memory use: 6.53 MiB
KMem use: 0 bytes
Link: veth9MT2L4
TX bytes: 3.45 KiB
RX bytes: 8.83 KiB
Total bytes: 12.29 KiB
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
also fix the check if the string will fit the local buffer
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The kernel's Documentation/devices.txt says that these symlinks should
exist in /dev (they are listed in the "Compulsory" section). I'm not
currently adding nfsd and X0R since they are required for iBCS, but
they can be easily added to the array later if need be.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Michael H. Warfield <mhw@WittsEnd.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This update will make it work unprivileged as well as testing a few of
the new functions.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
With this change, systems that support it will use attach to run any
provided command.
This doesn't change the default behaviour of attaching to tty1, but it
does make it much easier to script or even get a quick shell with:
lxc-start-ephemeral -o p1 -n p2 -- /bin/bash
I'm doing the setgid,initgroups,setuid,setenv magic in python rather
than using the attach_wait parameters as I need access to the pwd module
in the target namespace to grab the required information.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We used to do chdir(path), chroot(path). That's correct but not properly
handled coverity, so do chroot(path), chdir("/") instead as that's the
recommended way.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This allows lxc-snapshot and lxc-clone -s from an overlayfs container
to work unprivileged. (lxc-clone -s from a directory backed container
already did work)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Also don't use arm arch if not defined
This *should* fix build so precise, but I didn't fire one off.
I did test that builds with libseccomp2 still work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
v2 allows specifying system calls by name, and specifying
architecture. A policy looks like:
2
whitelist
open
read
write
close
mount
[x86]
open
read
Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31) -
which confusingly returns 'EMLINK' on x86_64. Note this change
is also done for v1 as I think it is worthwhile.
With this patch, I can in fact use a seccomp policy like:
2
blacklist
mknod errno 0
after which 'sudo mknod null c 1 3' silently succeeds without
creating the null device.
changelog v2:
add blacklist support
support default action
support per-rule action
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is pretty much copy/paste from overlayfs.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This allows running lxc-start-ephemeral using overlayfs. aufs remains
blocked as it hasn't been looked at and patched to work in the kernel at
this point (not sure if it ever wil).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
The previous check for access to rootfs->path failed in the case of
overlayfs or loop backign stores. Instead just check early on for
access to lxcpath.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If on Ubuntu, then match the host's own architecture, this should allow
for our tests to pass on the armhf CI environment.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Also make sure to chown the new rootfs path to the container owner.
This is how we make sure that the container root is allowed to write
under delta0.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This allows older distros to override /run with whatever their own path
is, mostly useful for old RedHat and possibly Android.
Reported-by: Robert Vogelgesang <vogel@users.sourceforge.net>
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Instead force a copy clone. Else if the user makes a change
to the original container, the snapshot will be affected.
The user should first create a snapshot clone, then use
and snapshot that clone while leaving the original container
untouched.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
With this patch, if an unprivileged user has $HOME 700 or
750 and does
lxc-start -n c1
he'll see an error like:
lxc_container: Permission denied - could not access /home/serge. Please grant it 'x' access, or add an ACL for t he container root.
(This addresses bug pad.lv/1277466)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The goal is to avoid an absolute symlink in the guest redirecting
us to the host's /dev. Thanks to the libvirt team for considering
that possibility!
We want to work on kernels which do not support setns, so we simply
chroot into the container before doing any rm/mknod. If /dev/vda5
is a symlink to /XXX, or /dev is a symlink to /etc, this is now
correctly resolved locally in the chroot.
We would have preferred to use realpath() to check that the resolved
path is not changed, but realpath across /proc/pid/root does not
work as expected.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This fixes a crash in lxc-autostart following the addition of
lxc_log_init as lxc-autostart doesn't use the name property.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
