proxmox-mirrors/systemd
1
0
Fork 0
mirror of https://git.proxmox.com/git/systemd synced 2026-01-20 03:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
10,299 Commits 2 Branches 4 Tags 78 MiB
7b68d618a2
Commit Graph

46 Commits

Author SHA1 Message Date
Michal Schmidt
f2956e80c9 nspawn: assume stdout is always writable if it does not support epoll 
stdout can be redirected to a regular file. Regular files don't support epoll.
nspawn failed with: "Failed to register fds in epoll: Operation not permitted".

If stdout does not support epoll, assume it's always writable.
 2013-01-26 00:16:13 +01:00
Lennart Poettering
88d04e31ce nspawn: add audit caps to default set to keep 
Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.

To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.

In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
 2013-01-18 18:23:20 +01:00
Zbigniew Jędrzejewski-Szmek
acbeb42770 nspawn: add --version 2013-01-11 16:03:49 -05:00
Lennart Poettering
57cb4adf4e nspawn: try to orderly shutdown container when receiving SIGTERM 2012-12-22 22:17:58 +01:00
Lennart Poettering
842f3b0fc9 nspawn: allow passing socket activation fds through nspawn 2012-12-22 22:17:58 +01:00
Lennart Poettering
51d88d1b4f nspawn: allow nspawn to be invoked without tty 
This allows invoking nspawn containers as systemd services, to create a
minimal, light-weight OS container solution for servers.
 2012-12-22 22:17:58 +01:00
Lennart Poettering
3c957acf86 nspawn: reset supplementary and main group id before entering nspawn 2012-11-22 00:45:22 +01:00
Zbigniew Jędrzejewski-Szmek
27407a01c6 nspawn: use automatic cleanup and provide debug info 
The documentation for --link-journal is also reworded.
 2012-10-02 14:56:26 +02:00
Lennart Poettering
963ddb917d log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct() 
https://bugs.freedesktop.org/show_bug.cgi?id=55213
 2012-09-24 23:26:46 +02:00
Lennart Poettering
77e63fafa5 nspawn: document why we don't check resolv.conf mount errors 2012-09-21 16:55:56 +02:00
Lennart Poettering
d40361453b nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now 
Create the right symlink if possible for /etc/localtime
 2012-09-21 16:54:54 +02:00
Zbigniew Jędrzejewski-Szmek
89154bd4ac nspawn: fix memleak introduced with automatic cleanup 
6b2d0e8 introduced a memleak instead of fixing one.
Fix both.
 2012-09-16 16:33:20 +02:00
Zbigniew Jędrzejewski-Szmek
25ea79fe07 nspawn: use automatic cleanup for umask 2012-09-16 16:20:09 +02:00
Zbigniew Jędrzejewski-Szmek
ed8b7a3ee5 nspawn: _cleanup_free_ more 2012-09-16 16:20:09 +02:00
Zbigniew Jędrzejewski-Szmek
6b2d0e85dc nspawn: use automatic cleanup 
This one actually clears up a (totally harmless) memleak.
 2012-09-16 16:20:09 +02:00
Zbigniew Jędrzejewski-Szmek
ede89845a4 nspawn: mount tmpfs on /dev/shm 
Most things seem to function fine without /dev/shm, but it is expected
to be there (quoting linux/Documentation/filesystems/tmpfs.txt:
glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX
shared memory (shm_open, shm_unlink)).

Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir
/tmp/shm and chmod it. Mounting it separately has the advantage that
it can be easily remounted to change the quota.
 2012-09-16 16:20:09 +02:00
Lennart Poettering
d87be9b0af nspawn: handle poweroff/reboot nicely in containers 2012-09-05 16:23:41 -07:00
Lennart Poettering
3eabccc46c nspawn: don't provide /dev/rtc0 in the container 
Since RTCs are hardware devices and are very much shared resources we
should avoid to provide them in each container.
 2012-09-05 15:27:07 -07:00
Lennart Poettering
04bc4a3f47 nspawn: generate a new randomized boot ID for each container 2012-09-05 14:39:16 -07:00
Lennart Poettering
9c1c7f712d nspawn: if a file system comes pre-mounted, still do the read-only remounts 2012-09-05 14:16:41 -07:00
Lennart Poettering
014a9c777b nspawn: skip mounts if already mounted 2012-09-04 16:33:13 -07:00
Lennart Poettering
e65aec12ae nspawn: mount a clean instance of sysfs 2012-09-04 16:32:43 -07:00
Dave Reisner
4fc9982cb0 nspawn: add /dev FD symlinks in container setup 
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and
/dev/core as symlinks to /proc on container creation. Except for
/dev/core, these are needed for shells like bash to be fully functional.
 2012-08-21 17:19:38 +02:00
Lennart Poettering
1e41be2015 nspawn,namespaces: make sure we recursively bind mount things in 
We want to make sure that everything from the host is also visible in
the sandbox.
 2012-08-13 16:25:03 +02:00
Lennart Poettering
b4c59701f8 nspawn: unset a few unnecessary params to mount() 2012-08-13 16:23:31 +02:00
Lennart Poettering
6f67a45d8e nspawn: inherit mounts from real root, don't propagate mounts to real root 2012-08-13 15:23:10 +02:00
Shawn Landden
0d0f0c50d3 log.h: new log_oom() -> int -ENOMEM, use it 
also a number of minor fixups and bug fixes: spelling, oom errors
that didn't print errors, not properly forwarding error codes,
few more consistency issues, et cetera
 2012-07-26 11:48:26 +02:00
Shawn Landden
669241a076 use "Out of memory." consistantly (or with "\n") 
glibc/glib both use "out of memory" consistantly so maybe we should
consider that instead of this.

Eliminates one string out of a number of binaries. Also fixes extra newline
in udev/scsi_id
 2012-07-25 11:23:57 +02:00
Lennart Poettering
db7feb7e9c nspawn: generate proper error messages in the child 2012-07-19 02:03:42 +02:00
Lennart Poettering
57fb9fb56d nspawn: introduce new --link-journal= switch to link container journals into host 2012-07-19 02:02:39 +02:00
Lennart Poettering
d05c5031ad unit: introduce %s specifier for the user shell 2012-07-16 12:34:54 +02:00
Lennart Poettering
5076f0ccfd nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case 2012-06-28 14:05:16 +02:00
Kay Sievers
d2e54fae5c mkdir: append _label to all mkdir() calls that explicitly set the selinux context 2012-05-31 12:40:20 +02:00
Lennart Poettering
ec8927ca59 main: add configuration option to alter capability bounding set for PID 1 
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
 2012-05-24 04:00:56 +02:00
Kay Sievers
9eb977db5b util: split-out path-util.[ch] 2012-05-08 02:33:10 +02:00
Lennart Poettering
bc2f673ec2 nspawn: add --read-only switch 2012-04-25 15:11:20 +02:00
Lennart Poettering
2547bb414c nspawn: bind mount /etc/resolv.conf from the host by default 2012-04-25 15:08:00 +02:00
Lennart Poettering
144f0fc0c8 nspawn: add --uuid= switch to allow setting the machine id for the container 2012-04-22 14:48:21 +02:00
Lennart Poettering
0f0dbc46cc nspawn: add -b switch to automatically look for an init binary 2012-04-22 14:11:32 +02:00
Lennart Poettering
3a74cea5e4 nspawn: be more careful when initializing the hostname from the directory name 2012-04-22 01:01:22 +02:00
Lennart Poettering
f1e5dfe2c0 nspawn: make /dev/kmsg unavailable in the container, but allow access to /proc/kmsg 2012-04-22 00:32:53 +02:00
Kay Sievers
4d46fec56d remove MS_* which can not be combined with current kernel code 
MS_BIND|MS_MOVE can not be combined:
  do_mount()
    else if (flags & MS_BIND)
      do_loopback(&path, dev_name, flags & MS_REC);
    [...]
    else if (flags & MS_MOVE)
      do_move_mount(&path, dev_name);

MS_REMOUNT|MS_UNBINDABLE can not be combined:
  do_mount()
    if (flags & MS_REMOUNT)
      do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page);
    [...]
    else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
      do_change_type(&path, flags);
 2012-04-18 13:37:45 +02:00
Lennart Poettering
b562f5a57d build-sys: add stub makefiles to all subdirs to ease development with emacs 2012-04-13 21:37:59 +02:00
Lennart Poettering
9537eab070 nspawn: add missing include lines 2012-04-13 21:37:59 +02:00
Lennart Poettering
e58a12770c nspawn: fake /dev/kmsg and /proc/kmsg as fifo 2012-04-13 18:52:52 +02:00
Kay Sievers
dce818b390 move all tools to subdirs 2012-04-12 17:54:42 +02:00