]>
git.proxmox.com Git - mirror_lxc.git/log
Christian Brauner [Tue, 5 Feb 2019 06:01:50 +0000 (07:01 +0100)]
lxc_user_nic: remove stack allocations
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 06:01:33 +0000 (07:01 +0100)]
cgroups: remove stack allocations
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 06:00:58 +0000 (07:00 +0100)]
lxcmntent: remove stack allocations
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 05:51:55 +0000 (06:51 +0100)]
memory_utils: add memory_utils.h
The header defines a simple wrapper for free() that can be used with
gcc's and clang's __attribute__((__cleanup__(<cleanup-fun>))) macro.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 5 Feb 2019 23:24:46 +0000 (18:24 -0500)]
Merge pull request #2824 from brauner/2019-02-05/compiler_based_hardening
compiler: hardening
Christian Brauner [Tue, 5 Feb 2019 22:50:43 +0000 (23:50 +0100)]
compiler: -Wnested-externs hardening
Warn if an extern declaration is encountered within a function.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:49:48 +0000 (23:49 +0100)]
compiler: -Wdate-time hardening
Warn when macros __TIME__, __DATE__ or __TIMESTAMP__ are encountered as
they might prevent bit-wise-identical reproducible compilations.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:48:32 +0000 (23:48 +0100)]
compiler: -Werror=shift-overflow=2 hardening
Warn about left shift overflows. This warning is enabled by default in
C99 and C++11 modes (and newer).
-Wshift-overflow=2
This warning level also warns about left-shifting 1 into the sign bit,
unless C++14 mode (or newer) is active.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:47:31 +0000 (23:47 +0100)]
compiler: -Werror=shift-count-overflow hardening
Warn if shift count >= width of type.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:44:20 +0000 (23:44 +0100)]
compiler: fix -fstack-protector-strong
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:25:19 +0000 (23:25 +0100)]
compiler: -fdiagnostics-show-option
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:21:43 +0000 (23:21 +0100)]
compiler: -Werror=overflow hardening
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 22:15:05 +0000 (23:15 +0100)]
compiler: -Wendif-labels hardening
Do not warn whenever an #else or an #endif are followed by text.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 5 Feb 2019 21:55:36 +0000 (16:55 -0500)]
Merge pull request #2823 from brauner/2019-02-05/compiler_based_hardening
compiler: hardening
Christian Brauner [Tue, 5 Feb 2019 19:56:08 +0000 (20:56 +0100)]
compiler: -Wshadow hardening
Warn whenever a local variable or type declaration shadows another
variable, parameter, type, class member (in C++), or instance variable
(in Objective-C) or whenever a built-in function is shadowed.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:54:33 +0000 (20:54 +0100)]
compiler: set -Wimplicit-fallthrough to 5
-Wimplicit-fallthrough=5 doesn’t recognize any comments as fallthrough
comments, only attributes disable the warning.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:51:50 +0000 (20:51 +0100)]
compiler: -Wformat=2 hardening
Enable -Wformat plus additional format checks. Currently equivalent to
-Wformat -Wformat-nonliteral -Wformat-security -Wformat-y2k.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:49:59 +0000 (20:49 +0100)]
compiler: -Werror=incompatible-pointer-types
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:48:45 +0000 (20:48 +0100)]
compiler: -Werror=return-type hardening
Warn whenever a function is defined with a return type that defaults to
int. Also warn about any return statement with no return value in a
function whose return type is not void (falling off the end of the
function body is considered returning without a value).
For C only, warn about a return statement with an expression in a
function whose return type is void, unless the expression type is also
void. As a GNU extension, the latter case is accepted without a warning
unless -Wpedantic is used.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:44:57 +0000 (20:44 +0100)]
compiler: -Wsuggest-attribute=noreturn hardening
Warn about functions that might be candidates for attributes pure, const
or noreturn or malloc.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:43:52 +0000 (20:43 +0100)]
compiler: -Wfloat-equal hardening
Warn if floating-point values are used in equality comparisons.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:43:00 +0000 (20:43 +0100)]
compiler: -Winit-self hardening
Warn about uninitialized variables that are initialized with themselves.
Note this option can only be used with the -Wuninitialized option.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:33:40 +0000 (20:33 +0100)]
compiler: -Wold-style-definition hardening
Warn if an old-style function definition is used. A warning is given
even if there is a previous prototype.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:31:20 +0000 (20:31 +0100)]
compiler: -Wmissing-include-dirs hardening
Warn if a user-supplied include directory does not exist.
This already surfaced a bug that is fixed by this commit.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 5 Feb 2019 19:29:21 +0000 (20:29 +0100)]
compiler: -Wlogical-op hardening
Warn about suspicious uses of logical operators in expressions.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 5 Feb 2019 17:16:41 +0000 (18:16 +0100)]
Merge pull request #2822 from tomponline/tp-rpmspec
fix rpm packaging for bash completion directory.
tomponline [Tue, 5 Feb 2019 17:10:20 +0000 (17:10 +0000)]
fix rpm packaging for bash completion directory.
Closed #1825
Signed-off-by: tomponline <tomp@tomp.uk>
Stéphane Graber [Fri, 1 Feb 2019 11:38:14 +0000 (12:38 +0100)]
Merge pull request #2820 from brauner/2019-01-31/cgfsng_sys/kernel/cgroup/delegate
cgroups: use of /sys/kernel/cgroup/delegate file
Stéphane Graber [Fri, 1 Feb 2019 11:37:38 +0000 (12:37 +0100)]
Merge pull request #2787 from Blub/2019-01-17/revert-sys-double-bindmount-cleanup
Revert "conf: remove extra MS_BIND with sysfs:mixed"
Christian Brauner [Fri, 1 Feb 2019 09:57:49 +0000 (10:57 +0100)]
cgroups: use of /sys/kernel/cgroup/delegate file
This file contains the files one needs to chown to successfully delegate
cgroup files to unprivileged users.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Thu, 31 Jan 2019 10:38:04 +0000 (11:38 +0100)]
Merge pull request #2806 from brauner/2019-01-27/bugfixes
freezer: non-functional changes
Christian Brauner [Sun, 27 Jan 2019 01:04:21 +0000 (02:04 +0100)]
freezer: non-functional changes
Fix the coding style in a few files.
Fixes: db1228b35f3e ("Avoid hardcoded string length")
Fixes: 71fc9c046816 ("Avoid risk of "too far memory read"")
Fixes: 2341916a0367 ("Avoid double lxc-freeze/unfreeze")
Fixes: 9eb9ce3e4778 ("Update freezer.c")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 29 Jan 2019 12:06:22 +0000 (13:06 +0100)]
Merge pull request #2817 from Rachid-Koucha/patch-5
More accurate error msg for template file
Rachid Koucha [Tue, 29 Jan 2019 11:20:46 +0000 (12:20 +0100)]
More accurate error msg for template file
When calling lxc-create, if the template exists but is not executable, we end with the following error messages which make believe that the template file does not exist when it is merely a execute access problem:
lxc-create: ctn00: utils.c: get_template_path: 918 No such file or directory - bad template: /.../lxc-busybox
lxc-create: ctn00: lxccontainer.c: do_lxcapi_create: 1786 Unknown template "/.../lxc-busybox"
lxc-create: ctn00: tools/lxc_create.c: main: 327 Failed to create container ctn00
Actually internally the errno is lost as the following code triggers a useless access to (strace output):
access("/.../lxc-busybox", X_OK) = -1 ENOENT (No such file or directory)
With the above fix, we get a more explicit error message when the template file is missing the "execute" bit:
lxc-create: bbc: utils.c: get_template_path: 917 Permission denied - Bad template pathname: /tmp/azerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/azerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc
With the above fix, we get a more explicit error message when the pathname of the template file is incorrect:
lxc-create: bbc: utils.c: get_template_path: 917 No such file or directory - Bad template pathname: /tmp/qwerty
lxc-create: bbc: lxccontainer.c: do_lxcapi_create: 1816 Unknown template "/tmp/qwerty"
lxc-create: bbc: tools/lxc_create.c: main: 331 Failed to create container bbc
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Stéphane Graber [Mon, 28 Jan 2019 22:24:01 +0000 (17:24 -0500)]
Merge pull request #2807 from brauner/2019-01-27/mount_entries
conf: check for successful mount entry parse
Christian Brauner [Mon, 28 Jan 2019 10:54:45 +0000 (11:54 +0100)]
Merge pull request #2814 from tenforward/japanese
doc: Add lxc.seccomp.allow_nesting to Japanese lxc.container.conf(5)
KATOH Yasufumi [Mon, 28 Jan 2019 10:01:40 +0000 (19:01 +0900)]
doc: Add lxc.seccomp.allow_nesting to Japanese lxc.container.conf(5)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Serge Hallyn [Mon, 28 Jan 2019 03:41:49 +0000 (21:41 -0600)]
Merge pull request #2813 from brauner/2019-01-27/bugfixes_2
compiler: remove deprecated and unneeded header
Christian Brauner [Sun, 27 Jan 2019 22:05:47 +0000 (23:05 +0100)]
prlimit: remove deprecated and unneeded header
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 27 Jan 2019 22:02:49 +0000 (23:02 +0100)]
compiler: remove deprecated and unneeded header
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 27 Jan 2019 13:03:40 +0000 (14:03 +0100)]
Merge pull request #2812 from Rachid-Koucha/patch-7
/etc/resolv.conf grows indefinitely
Rachid Koucha [Sun, 27 Jan 2019 12:46:48 +0000 (13:46 +0100)]
/etc/resolv.conf grows indefinitely
This file grows indefinitely : upon each DHCP lease renew,
the "nameserver ..dns..." line is added at the end of the file.
Make a "grep" in the file to make sure that the same line
does not already exist.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sun, 27 Jan 2019 12:14:24 +0000 (13:14 +0100)]
conf: append 0 0 to nesting helpers mount entries
Otherwise musl's getmntent_r() parser will fail.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 27 Jan 2019 12:07:03 +0000 (13:07 +0100)]
Merge pull request #2811 from Rachid-Koucha/patch-6
Create /var/run
Rachid Koucha [Sun, 27 Jan 2019 11:23:58 +0000 (12:23 +0100)]
Create /var/run
Some programs like "who" need this directory
to work (this permits the of /var/run/utmp file).
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sun, 27 Jan 2019 11:11:47 +0000 (12:11 +0100)]
Merge pull request #2810 from Rachid-Koucha/patch-6
Use BUSYBOX_EXE variable in configure_busybox()
Rachid Koucha [Sun, 27 Jan 2019 10:51:57 +0000 (11:51 +0100)]
Use BUSYBOX_EXE variable in configure_busybox()
As "which busybox" is stored in BUSYBOX_EXE
global variable at startup, use it wherever it is
needed.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sun, 27 Jan 2019 01:22:43 +0000 (02:22 +0100)]
conf: check for successful mount entry parse
Since liblxc is completely in control of the mount entry file we should
only consider a parse successful when EOF is reached.
Closes #2798.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 27 Jan 2019 09:14:26 +0000 (10:14 +0100)]
Merge pull request #2809 from Rachid-Koucha/patch-6
Installation of default.script for udhcpc
Rachid Koucha [Sun, 27 Jan 2019 02:38:36 +0000 (03:38 +0100)]
Installation of default.script for udhcpc
The busybox template installs default.script in /usr/share/udhcpc/.
But the pathname of "default.script" may vary from one busybox
build to another. As the pathname is displayed in udhcpc's help,
grab it from it.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sun, 27 Jan 2019 00:56:23 +0000 (01:56 +0100)]
Merge pull request #2744 from adamkasztenny/patch-1
Add template-options to help output
Christian Brauner [Sun, 27 Jan 2019 00:46:25 +0000 (01:46 +0100)]
Merge pull request #2804 from Rachid-Koucha/patch-4
Avoid hardcoded string length
Rachid Koucha [Sun, 27 Jan 2019 00:07:38 +0000 (01:07 +0100)]
Avoid hardcoded string length
Use strlen() on "state" variable instead of harcoded
value 6.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sat, 26 Jan 2019 23:43:32 +0000 (00:43 +0100)]
Merge pull request #2803 from Rachid-Koucha/patch-4
Avoid risk of "too far memory read"
Christian Brauner [Sat, 26 Jan 2019 23:26:00 +0000 (00:26 +0100)]
Merge pull request #2802 from Rachid-Koucha/patch-3
Avoid double lxc-freeze/unfreeze
Rachid Koucha [Sat, 26 Jan 2019 23:10:39 +0000 (00:10 +0100)]
Avoid risk of "too far memory read"
As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Christian Brauner [Sat, 26 Jan 2019 22:48:59 +0000 (23:48 +0100)]
Merge pull request #2801 from Rachid-Koucha/patch-2
Update freezer.c
Rachid Koucha [Sat, 26 Jan 2019 22:46:34 +0000 (23:46 +0100)]
Avoid double lxc-freeze/unfreeze
If we call lxc-freeze multiple times for an already frozen container, LXC
triggers useless freezing by writing into the "freezer.state" cgroup file.
This is the same when we call lxc-unfreeze multiple times.
Checking the current state with a LXC_CMD_GET_STATE
(calling c->state) would permit to check if the container is FROZEN
or not.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Rachid Koucha [Sat, 26 Jan 2019 22:27:07 +0000 (23:27 +0100)]
Update freezer.c
Suppressed hard coded values for state and array's maximum index.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Wolfgang Bumiller [Mon, 21 Jan 2019 14:33:05 +0000 (15:33 +0100)]
Merge pull request #2794 from brauner/2019-01-21/revert_seccomp_fuckup
Revert "seccomp: add rules for specified architecture only"
Christian Brauner [Mon, 21 Jan 2019 13:58:43 +0000 (14:58 +0100)]
Revert "seccomp: add rules for specified architecture only"
This reverts commit
f1bcfc796e0a4a04b36284f6261afff59123b1aa .
The reverted branch breaks starting all seccomp confined containers. Not
even a containers with our standard seccomp profile starts correctly.
This is strong evidence that these changes have never been tested even
with a standard workload. That is unacceptable!
We are still happy to merge that feature but going forward we want tests
that verify that standard workloads and new features work correctly.
seccomp is a crucial part of our security story and I will not let the
be compromised by missing tests!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 21 Jan 2019 11:18:25 +0000 (13:18 +0200)]
Merge pull request #2786 from lifeng68/fix_seccomp
seccomp: add rules for specified architecture only
LiFeng [Wed, 16 Jan 2019 10:07:59 +0000 (05:07 -0500)]
seccomp: add rules for specified architecture only
If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.
1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: LiFeng <lifeng68@huawei.com>
Christian Brauner [Fri, 18 Jan 2019 09:04:48 +0000 (11:04 +0200)]
Merge pull request #2792 from kubiko/fix-android-hooks
Fixing hooks functionality Android where 'sh' is placed under /system
Christian Brauner [Fri, 18 Jan 2019 09:04:27 +0000 (11:04 +0200)]
Merge pull request #2791 from kubiko/handle-android-loop
Handle alternative loop device location on Android
ondra [Fri, 11 Jan 2019 14:45:38 +0000 (14:45 +0000)]
Handle alternative loop device location on Android
Signed-off-by: ondra <ondrak@localhost.localdomain>
ondra [Fri, 11 Jan 2019 16:42:13 +0000 (16:42 +0000)]
Fixing hooks functionality Android where 'sh' is placed under /system/bin
Signed-off-by: ondra <ondrak@localhost.localdomain>
Christian Brauner [Thu, 17 Jan 2019 09:50:11 +0000 (11:50 +0200)]
Merge pull request #2788 from tanyifeng/fix_mem_leak
conf.c: fix memory leak and mount error
Christian Brauner [Thu, 17 Jan 2019 09:49:41 +0000 (11:49 +0200)]
Merge pull request #2789 from lifeng68/fix_memory_leak
Fix memory leak in cgroup_exit
LiFeng [Thu, 17 Jan 2019 10:48:16 +0000 (05:48 -0500)]
Fix memory leak in cgroup_exit
Add free memory pointed by struct cgroup_ops *ops
Signed-off-by: LiFeng <lifeng68@huawei.com>
t00416110 [Thu, 17 Jan 2019 09:16:22 +0000 (17:16 +0800)]
conf.c: fix memory leak and mount error
1. cleanup namespace memory
2. fix bug when ro mount not setted, mount propagation will be skipped.
Signed-off-by: t00416110 <tanyifeng1@huawei.com>
Wolfgang Bumiller [Thu, 17 Jan 2019 08:16:16 +0000 (09:16 +0100)]
Revert "conf: remove extra MS_BIND with sysfs:mixed"
This reverts commit
51a922baf724689ff3a0df938ca8975601c9c815 .
The above commit confuses the mountall unit of privileged
Ubuntu 14.04 containers at startup so that they cannot
finish booting.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Christian Brauner [Wed, 16 Jan 2019 09:12:48 +0000 (11:12 +0200)]
Merge pull request #2785 from lifeng68/fix_return
start: __lxc_start return -1 when start fails
LiFeng [Tue, 15 Jan 2019 12:25:00 +0000 (07:25 -0500)]
start: __lxc_start return -1 when start fails
Signed-off-by: LiFeng <lifeng68@huawei.com>
Wolfgang Bumiller [Fri, 11 Jan 2019 09:31:25 +0000 (10:31 +0100)]
Merge pull request #2781 from brauner/hn-veth-uid
network: prefix veth interface name with uid info
hn [Tue, 8 Jan 2019 20:23:41 +0000 (21:23 +0100)]
network: prefix veth interface name with uid info
Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 10 Jan 2019 16:09:27 +0000 (11:09 -0500)]
Merge pull request #2780 from brauner/2019-01-10/cgroupns_skip_on_einval
start: handle missing CLONE_NEWCGROUP
Christian Brauner [Thu, 10 Jan 2019 12:35:42 +0000 (13:35 +0100)]
start: handle missing CLONE_NEWCGROUP
If cgroup namespaces are not supported we should just record it in the
log and move on.
Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Wolfgang Bumiller [Thu, 10 Jan 2019 12:39:23 +0000 (13:39 +0100)]
Merge pull request #2777 from brauner/2019-01-09/cgfsng_with_no_controllers
cgroups: try to handle layouts with no cgroups
Christian Brauner [Tue, 8 Jan 2019 22:56:50 +0000 (23:56 +0100)]
cgroups: try to handle layouts with no cgroups
Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 8 Jan 2019 17:14:20 +0000 (18:14 +0100)]
Merge pull request #2775 from kubiko/android-fix-compile
Fixing compile error when compiling for android
Ondrej Kubik [Tue, 8 Jan 2019 17:00:36 +0000 (17:00 +0000)]
Fixing compile error when compiling for android
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Christian Brauner [Tue, 8 Jan 2019 14:57:29 +0000 (15:57 +0100)]
Merge pull request #2774 from hn/master
trivial fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' char
hn [Mon, 7 Jan 2019 18:42:02 +0000 (19:42 +0100)]
fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().
Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>
Stéphane Graber [Mon, 7 Jan 2019 23:34:37 +0000 (00:34 +0100)]
Merge pull request #2753 from brauner/2018-12-13/remove_sigwinch_cmd
terminal: remove sigwinch command
Stéphane Graber [Mon, 7 Jan 2019 23:34:16 +0000 (00:34 +0100)]
Merge pull request #2755 from brauner/2018-12-16/rootfs_managed
storage: do not destroy pre-existing rootfs
Stéphane Graber [Mon, 7 Jan 2019 23:33:57 +0000 (00:33 +0100)]
Merge pull request #2773 from brauner/2018-01-09/fix_cgroup_deletion
cgfsng: do not free container_full_path on error
Stéphane Graber [Mon, 7 Jan 2019 23:33:47 +0000 (00:33 +0100)]
Merge pull request #2770 from brauner/2018-01-07/container_copy
lxccontainer: fix container copy
Stéphane Graber [Mon, 7 Jan 2019 23:33:04 +0000 (00:33 +0100)]
Merge pull request #2771 from brauner/2018-01-07/seccomp_nesting_support
confile: add lxc.seccomp.allow_nesting
Christian Brauner [Mon, 7 Jan 2019 15:08:26 +0000 (16:08 +0100)]
cgfsng: do not free container_full_path on error
Closes #2741.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 7 Jan 2019 14:10:52 +0000 (15:10 +0100)]
confile: add lxc.seccomp.allow_nesting
This adds the lxc.seccomp.allow_nesting api extension. If
lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be
stacked. This way nested containers can load their own seccomp policy on
top of the policy that the outer container might have applied.
Cc: Simon Fels <simon.fels@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 7 Jan 2019 12:37:06 +0000 (13:37 +0100)]
lxccontainer: fix container copy
We need to strip the prefix from the container's source path before
trying to update the file.
Closes #2380.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 6 Jan 2019 11:39:17 +0000 (12:39 +0100)]
Merge pull request #2768 from caglar10ur/revert-2763-dangling
Revert "Set c to NULL after freeing it"
S.Çağlar Onur [Sat, 5 Jan 2019 20:22:17 +0000 (12:22 -0800)]
Revert "Set c to NULL after freeing it"
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Christian Brauner [Fri, 4 Jan 2019 11:52:38 +0000 (12:52 +0100)]
Merge pull request #2767 from Blub/2019-01-04/use-syserror-on-write-error
conf: use SYSERROR on lxc_write_to_file errors
Wolfgang Bumiller [Fri, 4 Jan 2019 11:05:49 +0000 (12:05 +0100)]
conf: use SYSERROR on lxc_write_to_file errors
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Christian Brauner [Wed, 26 Dec 2018 19:53:59 +0000 (20:53 +0100)]
Merge pull request #2763 from caglar10ur/dangling
Set c to NULL after freeing it
S.Çağlar Onur [Wed, 26 Dec 2018 19:18:31 +0000 (11:18 -0800)]
Set c to NULL after freeing it
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Stéphane Graber [Mon, 17 Dec 2018 15:14:31 +0000 (10:14 -0500)]
Merge pull request #2757 from brauner/2018-12-17/mount_injection_file
lxccontainer: fix mount api (mount_injection_file)
Christian Brauner [Mon, 17 Dec 2018 10:45:58 +0000 (11:45 +0100)]
lxccontainer: fix mount api (mount_injection_file)
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>