]>
git.proxmox.com Git - mirror_lxc.git/log
Christian Brauner [Mon, 7 Dec 2020 10:25:58 +0000 (11:25 +0100)]
macro: move MAX_GRBUF_SIZE
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Wed, 2 Dec 2020 16:06:46 +0000 (11:06 -0500)]
Merge pull request #3589 from tych0/fix-nonet-cleanup
network: fix LXC_NET_NONE cleanup
Tycho Andersen [Wed, 2 Dec 2020 14:26:18 +0000 (06:26 -0800)]
network: fix LXC_NET_NONE cleanup
We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).
The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:
lxc foo
20201201232059 .271 TRACE network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo
20201201232059 .271 ERROR network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo
20201201232059 .271 ERROR start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace
Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.
I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
Stéphane Graber [Sat, 21 Nov 2020 15:56:16 +0000 (10:56 -0500)]
Merge pull request #3586 from tenforward/japanese
doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page
KATOH Yasufumi [Sat, 21 Nov 2020 15:26:35 +0000 (00:26 +0900)]
doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Stéphane Graber [Wed, 18 Nov 2020 21:33:10 +0000 (16:33 -0500)]
Merge pull request #3583 from brauner/2020-11-18/fixes
commands_utils: fix lxc-wait
Christian Brauner [Wed, 18 Nov 2020 20:06:37 +0000 (21:06 +0100)]
commands_utils: fix lxc-wait
Closes: #3570
Fixes: 7792a5b60f79 ("commands: add additional check to lxc_cmd_sock_get_state()")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 17 Nov 2020 23:22:50 +0000 (18:22 -0500)]
Merge pull request #3582 from brauner/2020-11-17/bugfixes
file_utils: fix config file parsing
Christian Brauner [Tue, 17 Nov 2020 21:34:05 +0000 (22:34 +0100)]
file_utils: fix config file parsing
We accidently used the "bytes_to_write" variable after we've written all the
bytes at which point it is guaranteed to be 0. Let's use the "bytes_read"
variable instead.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 16 Nov 2020 14:50:14 +0000 (09:50 -0500)]
Merge pull request #3581 from brauner/2020-11-16/fixes
conf: improve mountinfo and config parsing
Christian Brauner [Mon, 16 Nov 2020 11:30:18 +0000 (12:30 +0100)]
conf: switch to fd_to_fd() when copying mountinfo
Closes: #3580.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=209971
Suggested-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 16 Nov 2020 11:18:14 +0000 (12:18 +0100)]
parse: rework config parsing routine
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 13 Nov 2020 15:03:48 +0000 (16:03 +0100)]
Merge pull request #3579 from lifeng68/master
cgfsng: adjust log level to warn instead of error
lifeng68 [Fri, 13 Nov 2020 05:49:21 +0000 (13:49 +0800)]
cgfsng: adjust log level to warn instead of error
Signed-off-by: lifeng68 <lifeng68@huawei.com>
Stéphane Graber [Thu, 5 Nov 2020 23:08:25 +0000 (18:08 -0500)]
Merge pull request #3577 from brauner/2020-11-05/bugfixes
attach: silence stdio permission adjust warnings
Christian Brauner [Thu, 5 Nov 2020 19:25:29 +0000 (20:25 +0100)]
attach: silence stdio permission adjust warnings
Closes: #3576.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 5 Nov 2020 17:50:18 +0000 (12:50 -0500)]
Merge pull request #3574 from Drachenfels-GmbH/seccomp-fixes
Add missing free for monitor_pivot_dir.
Ruben Jenster [Fri, 30 Oct 2020 08:48:23 +0000 (09:48 +0100)]
Add missing free for monitor_pivot_dir.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Stéphane Graber [Mon, 2 Nov 2020 17:58:43 +0000 (12:58 -0500)]
Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking
seccomp: fixes
Christian Brauner [Mon, 2 Nov 2020 15:48:02 +0000 (16:48 +0100)]
seccomp: log aborted system calls
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 2 Nov 2020 15:44:05 +0000 (16:44 +0100)]
seccomp: make seccomp notifier fd non-blocking
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Wed, 28 Oct 2020 12:02:51 +0000 (08:02 -0400)]
Merge pull request #3568 from brauner/2020-10-28/fixes
coverity fixes
Christian Brauner [Wed, 28 Oct 2020 03:16:41 +0000 (04:16 +0100)]
attach: require that LXC_ATTACH_LSM_LABEL is specified
to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 28 Oct 2020 03:04:42 +0000 (04:04 +0100)]
utils: check snprintf return value
Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 28 Oct 2020 03:03:31 +0000 (04:03 +0100)]
conf: check snprint return value
Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 28 Oct 2020 03:01:19 +0000 (04:01 +0100)]
utils: don't deref after NULL check
Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 28 Oct 2020 02:58:54 +0000 (03:58 +0100)]
commands: don't deref after NULL check
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 27 Oct 2020 16:45:46 +0000 (17:45 +0100)]
Merge pull request #3567 from blenk92/lxc-attach-selinux
lxc-attach: Enable setting the SELinux context
Christian Brauner [Tue, 27 Oct 2020 16:44:59 +0000 (17:44 +0100)]
Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes
cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
Christian Brauner [Tue, 27 Oct 2020 16:44:38 +0000 (17:44 +0100)]
Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes
seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
Christian Brauner [Tue, 27 Oct 2020 16:14:16 +0000 (17:14 +0100)]
Merge pull request #3565 from Drachenfels-GmbH/test-fixes
tests: Fix compilation with appamor enabled.
Christian Brauner [Tue, 27 Oct 2020 16:12:51 +0000 (17:12 +0100)]
Merge pull request #3564 from Drachenfels-GmbH/fixes
lxccontainer: fix lxc_config_item_is_supported
Maximilian Blenk [Tue, 27 Oct 2020 09:38:44 +0000 (10:38 +0100)]
lxc-attach: Enable setting the SELinux context
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Ruben Jenster [Fri, 23 Oct 2020 16:26:34 +0000 (18:26 +0200)]
tests: Fix compilation with appamor enabled.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Ruben Jenster [Fri, 23 Oct 2020 16:32:15 +0000 (18:32 +0200)]
lxccontainer: fix lxc_config_item_is_supported
Use exact match instead of longest prefix match
to check whether a config item is supported.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Ruben Jenster [Fri, 23 Oct 2020 09:33:38 +0000 (11:33 +0200)]
Introduce lxc.cgroup.dir.monitor.pivot
On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Ruben Jenster [Fri, 23 Oct 2020 14:03:12 +0000 (16:03 +0200)]
seccomp: Avoid duplicate processing of rules for host native arch.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Ruben Jenster [Thu, 22 Oct 2020 15:15:58 +0000 (17:15 +0200)]
seccomp: Fix handling of pseudo syscalls and improve logging for rule processing.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Stéphane Graber [Sat, 24 Oct 2020 17:59:10 +0000 (13:59 -0400)]
Merge pull request #3561 from tenforward/japanese
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
KATOH Yasufumi [Sat, 24 Oct 2020 16:35:35 +0000 (01:35 +0900)]
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
Update for commit
b87ed83bbc7db3f826b4f54df1bb458c2c539be7
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Stéphane Graber [Tue, 20 Oct 2020 16:21:53 +0000 (12:21 -0400)]
Merge pull request #3559 from brauner/2020-10-20/fixes
conf: account for early return when sending devpts fd
Christian Brauner [Tue, 20 Oct 2020 15:41:06 +0000 (17:41 +0200)]
conf: account for early return when sending devpts fd
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 20 Oct 2020 12:22:49 +0000 (08:22 -0400)]
Merge pull request #3558 from brauner/2020-10-20/fixes
conf: always send response to parent waiting for devptfs_fd
Christian Brauner [Tue, 20 Oct 2020 11:02:00 +0000 (13:02 +0200)]
conf: always send response to parent waiting for devptfs_fd
When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 19 Oct 2020 12:29:16 +0000 (08:29 -0400)]
Merge pull request #3556 from brauner/2020-10-19/fixes
startup fixes
Christian Brauner [Mon, 19 Oct 2020 09:38:17 +0000 (11:38 +0200)]
start: improve devpts fd sending
Closes: #3549.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 19 Oct 2020 09:56:53 +0000 (11:56 +0200)]
sync: log synchronization states
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 19 Oct 2020 09:46:08 +0000 (11:46 +0200)]
sync: switch to new error helpers
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Fri, 16 Oct 2020 12:17:26 +0000 (08:17 -0400)]
Merge pull request #3555 from brauner/2020-10-16/seccomp
seccomp: fix compilation on powerpc
Christian Brauner [Fri, 16 Oct 2020 10:22:57 +0000 (12:22 +0200)]
Wolfgang Bumiller [Thu, 15 Oct 2020 09:38:49 +0000 (11:38 +0200)]
Merge pull request #3553 from brauner/2020-10-15/seccomp
seccomp: bugfixes
Christian Brauner [Thu, 15 Oct 2020 08:00:44 +0000 (10:00 +0200)]
seccomp: improve default notification sending
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Thu, 15 Oct 2020 07:19:23 +0000 (09:19 +0200)]
seccomp: log invalid seccomp notify ids
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 13 Oct 2020 20:12:29 +0000 (22:12 +0200)]
Merge pull request #3548 from Drachenfels-GmbH/master
seccomp: Check if syscall is supported on compat architecture.
Ruben Jenster [Tue, 13 Oct 2020 14:51:55 +0000 (16:51 +0200)]
seccomp: Check if syscall is supported on compat architecture.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Stéphane Graber [Wed, 23 Sep 2020 12:01:11 +0000 (08:01 -0400)]
Merge pull request #3541 from Mingli-Yu/master
Remove obsolete setting regarding the Standard Output
Mingli Yu [Wed, 23 Sep 2020 07:03:02 +0000 (07:03 +0000)]
Remove obsolete setting regarding the Standard Output
The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].
Please consider using "journal" or "journal+console"
[1] https://github.com/systemd/systemd/blob/master/NEWS#L202
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Stéphane Graber [Thu, 17 Sep 2020 17:11:20 +0000 (13:11 -0400)]
Merge pull request #3540 from brauner/2020-09-17/fixes_2
lxc-usernsexec: setgroups() similar to other places shouldn't fail on…
Christian Brauner [Thu, 17 Sep 2020 15:44:26 +0000 (17:44 +0200)]
lxc-usernsexec: setgroups() similar to other places shouldn't fail on EPERM
FAIL: lxc-tests: lxc-test-usernsexec (1s)
---
as test-userns executing /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec
uid=1001 gid=1001 name=test-userns subuid=165536 subgid=165536 ver=1:4.0.4-0ubuntu3
lxc-utils=1:4.0.4-0ubuntu3 kver=5.8.0-19-generic
USERNSEXEC=lxc-usernsexec
nouidgid: PASS
myuidgid: FAIL - runtest failed 1
$ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -- /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec inside f0
lxc
20200914222824 .562 ERROR utils - utils.c:lxc_setgroups:1363 - Operation not permitted - Failed to setgroups()
kid 73112 is gone 1
subuidgid: PASS
bothsets: PASS
mismatch: PASS
ERRORS: myuidgid
---
Reported-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 17 Sep 2020 15:30:14 +0000 (11:30 -0400)]
Merge pull request #3539 from brauner/2020-09-17/fixes
commands: don't fail if unfreeze fails
Christian Brauner [Thu, 17 Sep 2020 09:11:44 +0000 (11:11 +0200)]
commands: don't fail if unfreeze fails
We can e.g. fail the unfreeze because the freezer cgroup is not available and
then we erronously report that stopping the container failed.
Closes: #3471.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Thu, 3 Sep 2020 08:11:41 +0000 (10:11 +0200)]
Merge pull request #3532 from alliedtelesis/fix_lxc_attach_crash
avoid a NULL pointer dereference in lxc-attach
Christian Brauner [Wed, 2 Sep 2020 07:28:32 +0000 (09:28 +0200)]
attach: use lxc_terminal_signal_sigmask_safe_blocked()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 2 Sep 2020 07:28:12 +0000 (09:28 +0200)]
terminal: introduce lxc_terminal_signal_sigmask_safe_blocked()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Scott Parlane [Wed, 2 Sep 2020 05:01:11 +0000 (17:01 +1200)]
avoid a NULL pointer dereference in lxc-attach
Seems to appear when stderr is a terminal and not stdin or stdout.
Signed-off-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz>
Christian Brauner [Fri, 28 Aug 2020 10:12:56 +0000 (12:12 +0200)]
Merge pull request #3531 from JingWoo/cleancode
remove useless parameters
wujing [Fri, 28 Aug 2020 08:46:48 +0000 (16:46 +0800)]
remove useless parameters
Signed-off-by: wujing <Jing.Woo@outlook.com>
Stéphane Graber [Tue, 25 Aug 2020 12:45:14 +0000 (08:45 -0400)]
Merge pull request #3530 from brauner/2020-08-25/fixes
cgroups: fix armhf builds
Christian Brauner [Tue, 25 Aug 2020 10:30:37 +0000 (12:30 +0200)]
Merge pull request #3529 from pranaysrivastava/fixup_rootfs_detection
Check only rootfs as filesystem type
Christian Brauner [Tue, 25 Aug 2020 10:27:10 +0000 (12:27 +0200)]
Pranay Kr. Srivastava [Mon, 24 Aug 2020 08:10:02 +0000 (13:40 +0530)]
Check only rootfs as filesystem type
When detecting if rootfs is on ramfs instead of checking "- rootfs
rootfs" which is the " - <file_system> <device>" information only check
the file system type. This is due to a change introduced in kernel where
ramfs file system doesn't set the device to "rootfs" but instead mark it
as "none". By making sure we only check for "rootfs" as the file system
name we also offer backward compatibility with earlier kernels as well.
The kernel commit that introduced this change was
commit
f32356261d44d580649a7abce1156d15d49cf20f
Author: David Howells <dhowells@redhat.com>
Date: Mon Mar 25 16:38:31 2019 +0000
vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new
mount API
Signed-off-by: Pranay Kr. Srivastava <pranay.srivastava@pantacor.com>
Stéphane Graber [Fri, 21 Aug 2020 16:10:50 +0000 (12:10 -0400)]
Merge pull request #3528 from graysky2/master
remove deprecated options in lxc.service fixes #3527
Stéphane Graber [Fri, 21 Aug 2020 16:10:29 +0000 (12:10 -0400)]
Merge pull request #3526 from brauner/2020-08-21/fixes
cgfsng: fix cgroup attach cgroup creation
graysky [Fri, 21 Aug 2020 10:33:49 +0000 (06:33 -0400)]
remove deprecated options in lxc.service fixes #3527
Signed-off-by: graysky <graysky@archlinux.us>
Christian Brauner [Fri, 21 Aug 2020 07:59:18 +0000 (09:59 +0200)]
cgfsng: fix cgroup attach cgroup creation
\e [01m
\e [Kcgroups/cgfsng.c:
\e [m
\e [K In function ‘
\e [01m
\e [Kcgroup_attach_leaf.constprop
\e [m
\e [K’:
\e [01m
\e [Kcgroups/cgfsng.c:2221:10:
\e [m
\e [K
\e [01;31m
\e [Kerror:
\e [m
\e [Kwriting 1 byte into a region of size 0 [
\e [01;31m
\e [K-Werror=stringop-overflow=
\e [m
\e [K]
2221 |
\e [01;31m
\e [K*slash = '\0'
\e [m
\e [K;
|
\e [01;31m
\e [K~~~~~~~^~~~~~
\e [m
\e [K
\e [01m
\e [Kcgroups/cgfsng.c:2213:8:
\e [m
\e [K
\e [01;36m
\e [Knote:
\e [m
\e [Kat offset -13 to object ‘
\e [01m
\e [Kattach_cgroup
\e [m
\e [K’ with size 23 declared here
2213 | char
\e [01;36m
\e [Kattach_cgroup
\e [m
\e [K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
|
\e [01;36m
\e [K^~~~~~~~~~~~~
\e [m
\e [K
\e [01m
\e [Kcgroups/cgfsng.c:2229:10:
\e [m
\e [K
\e [01;31m
\e [Kerror:
\e [m
\e [Kwriting 1 byte into a region of size 0 [
\e [01;31m
\e [K-Werror=stringop-overflow=
\e [m
\e [K]
2229 |
\e [01;31m
\e [K*slash = '/'
\e [m
\e [K;
|
\e [01;31m
\e [K~~~~~~~^~~~~
\e [m
\e [K
\e [01m
\e [Kcgroups/cgfsng.c:2213:8:
\e [m
\e [K
\e [01;36m
\e [Knote:
\e [m
\e [Kat offset -13 to object ‘
\e [01m
\e [Kattach_cgroup
\e [m
\e [K’ with size 23 declared here
2213 | char
\e [01;36m
\e [Kattach_cgroup
\e [m
\e [K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
|
\e [01;36m
\e [K^~~~~~~~~~~~~
\e [m
\e [K
\e [01m
\e [Kcgroups/cgfsng.c:2229:10:
\e [m
\e [K
\e [01;31m
\e [Kerror:
\e [m
\e [Kwriting 1 byte into a region of size 0 [
\e [01;31m
\e [K-Werror=stringop-overflow=
\e [m
\e [K]
2229 |
\e [01;31m
\e [K*slash = '/'
\e [m
\e [K;
|
\e [01;31m
\e [K~~~~~~~^~~~~
\e [m
\e [K
\e [01m
\e [Kcgroups/cgfsng.c:2213:8:
\e [m
\e [K
\e [01;36m
\e [Knote:
\e [m
\e [Kat offset -13 to object ‘
\e [01m
\e [Kattach_cgroup
\e [m
\e [K’ with size 23 declared here
2213 | char
\e [01;36m
\e [Kattach_cgroup
\e [m
\e [K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
|
\e [01;36m
\e [K^~~~~~~~~~~~~
\e [m
\e [K
Link: https://launchpadlibrarian.net/494354168/buildlog_ubuntu-groovy-armhf.lxc_1%3A4.0.4-0ubuntu1_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 17 Aug 2020 04:04:30 +0000 (00:04 -0400)]
Merge pull request #3522 from avr1254/master
Updated documentation to reflect lack of support for pure cgroupv2
Arjun Ramachandrula [Sat, 15 Aug 2020 20:16:03 +0000 (16:16 -0400)]
Updated documentation to reflect lack of support for pure cgroupv2
Signed-off-by: Arjun Ramachandrula <arjun.ramachandrula@gmail.com>
Stéphane Graber [Wed, 12 Aug 2020 21:31:08 +0000 (17:31 -0400)]
Merge pull request #3518 from brauner/2020-08-12/fixes
lsm: remove the need for atomic operations
Christian Brauner [Wed, 12 Aug 2020 13:26:22 +0000 (15:26 +0200)]
lsm: remove the need for atomic operations
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 11 Aug 2020 12:28:19 +0000 (08:28 -0400)]
Merge pull request #3517 from brauner/2020-08-10/fixes_2
lsm: rewrite
Christian Brauner [Tue, 11 Aug 2020 08:32:01 +0000 (10:32 +0200)]
lsm: use atomic in ase we're used multi-threaded
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 10 Aug 2020 21:55:13 +0000 (23:55 +0200)]
lsm: rework lsm handling
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 10 Aug 2020 18:41:00 +0000 (14:41 -0400)]
Merge pull request #3514 from brauner/2020-08-10/fixes
conf: terminal and /dev hardening
Christian Brauner [Mon, 10 Aug 2020 09:13:53 +0000 (11:13 +0200)]
terminal: harden terminal allocation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 10 Aug 2020 09:01:42 +0000 (11:01 +0200)]
conf: move /dev setup to be file descriptor based
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 10 Aug 2020 02:39:45 +0000 (22:39 -0400)]
Merge pull request #3513 from brauner/2020-08-09/openat2
openat2() and safe mounting
Christian Brauner [Sun, 9 Aug 2020 17:35:33 +0000 (19:35 +0200)]
conf: harden lxc_fill_autodev() via save_mount_beneath_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 17:33:23 +0000 (19:33 +0200)]
file_utils: add exists_dir_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:55:52 +0000 (18:55 +0200)]
conf: make use of stashed container mountpoint fd in mount_autodev()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:55:25 +0000 (18:55 +0200)]
conf: stash file descriptor to root mountpoint in struct lxc_rootfs
This way we only need to open it _once_ per container startup.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:37:57 +0000 (18:37 +0200)]
utils: introduce safe_mount_beneath_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:48:35 +0000 (15:48 +0200)]
cgfsng: use safe_mount_beneath()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:37:31 +0000 (15:37 +0200)]
conf: switch mount_autodev() to new safe_mount_beneath() helper
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:24:26 +0000 (15:24 +0200)]
utils: add safe_mount_beneath() based on openat2()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 10:48:02 +0000 (12:48 +0200)]
syscalls: add openat2()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 7 Aug 2020 19:40:56 +0000 (21:40 +0200)]
Merge pull request #3512 from stgraber/master
lxc-download fixes
Stéphane Graber [Fri, 7 Aug 2020 19:10:22 +0000 (15:10 -0400)]
lxc-download: Fix retry loop
Closes #3511
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Fri, 7 Aug 2020 19:09:01 +0000 (15:09 -0400)]
Revert "templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys"
This reverts commit
409040e702f814a167aed5a0e833f4d5c67fd29d .
Testing of both options show identical behavior but receive-keys does
not exist on older releases, so let's revert this.
Closes #3510
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Thu, 6 Aug 2020 15:51:32 +0000 (11:51 -0400)]
Merge pull request #3509 from brauner/2020-08-06/fixes
api-extension: add missing seccomp_proxy_send_notify_fd extension
Christian Brauner [Thu, 6 Aug 2020 15:33:09 +0000 (17:33 +0200)]
api-extension: add missing seccomp_proxy_send_notify_fd extension
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>