-
Include -devel suffix in version string
stgraber committedJan 5, 2018 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This commit was signed with a verified signature.stgraber Stéphane Graber
GPG key ID: C638974D64792D67 Learn about signing commits -
stgraber committed
Jan 5, 2018 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This commit was signed with a verified signature.stgraber Stéphane Graber
GPG key ID: C638974D64792D67 Learn about signing commits
-
Merge pull request #2067 from brauner/2018-01-03/allow_fully_unprivil…
hallyn committedJan 4, 2018 …eged_containers conf: write "deny" to /proc/[pid]/setgroups
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
Merge pull request #2068 from brauner/2018-01-03/cleanup_command_afte…
hallyn committedJan 4, 2018 …r_revert commands: fully revert set_running_config_item()
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
cgfsng: only establish mapping once
brauner committedJan 4, 2018 When we deleted cgroups for unprivileged containers we used to allocate a new mapping and clone a new user namespace each time we delete a cgroup. This of course meant - on a cgroup v1 system - doing this >= 10 times when all controllers were used. Let's not to do this and only allocate and establish a mapping once. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Jan 4, 2018 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Jan 4, 2018 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
conf: write "deny" to /proc/[pid]/setgroups
brauner committedJan 3, 2018 When fully unprivileged users run a container that only maps their own {g,u}id and they do not have access to setuid new{g,u}idmap binaries we will write the idmapping directly. This however requires us to write "deny" to /proc/[pid]/setgroups otherwise any write to /proc/[pid]/gid_map will be denied. On a sidenote, this patch enables fully unprivileged containers. If you now set lxc.net.[i].type = empty no privilege whatsoever is required to run a container. Enhances #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Cc: Felix Abecassis <fabecassis@nvidia.com> Cc: Jonathan Calmels <jcalmels@nvidia.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
Merge pull request #2069 from stgraber/master
brauner committedJan 4, 2018 gentoo: Add support for .xz tarballs
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
Merge pull request #2070 from hallyn/2018-01-03/staticlibcap
brauner committedJan 4, 2018 configure.ac: fix the check for static libcap
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
configure.ac: fix the check for static libcap
hallyn committedJan 4, 2018 The existing check doesn't work, because when you statically link a program against libc, any functions not called are not included. So cap_init() which we check for is not there in the built binary. So instead just check whether a "gcc -lcap -static" works. If libcap.a is not available it will fail, if it is it will succeed. Signed-off-by: Serge Hallyn <shallyn@cisco.com>
-
gentoo: Add support for .xz tarballs
stgraber committedJan 3, 2018 Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This commit was signed with a verified signature.stgraber Stéphane Graber
GPG key ID: C638974D64792D67 Learn about signing commits -
commands: fully revert set_running_config_item()
brauner committedJan 3, 2018 The noop implementation is pointless. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
Merge pull request #2065 from brauner/2017-01-01/revert_set_running_c…
stgraber committedJan 3, 2018 …onfig_item lxccontainer: revert set_running_config_item()
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
Merge pull request #2066 from brauner/2017-01-02/support_no_root_mapp…
hallyn committedJan 3, 2018 …ings Support configurations without root mapping
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
-
conf: detect if devpts can be mounted with gid=5
brauner committedJan 2, 2018 Closes #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Jan 2, 2018 If no id mapping for the container's root id is defined try to us the id mappings specified via lxc.init.{g,u}id. Closes #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
conf{ile}: detect ns{g,u}id mapping for root
brauner committedJan 2, 2018 Closes #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Jan 2, 2018 Closes #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Jan 2, 2018 - mapped_hostid_entry() - idmap_add() Closes #2033. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits
-
lxccontainer: revert set_running_config_item()
brauner committedJan 1, 2018 - As discussed we will have a proper API extension that will allow updating various parts of a running container. The prior approach wasn't a good idea. - Revert this is not a problem since we haven't released any version with the set_running_config_item() API extension. - I'm not simply reverting so that master users can still call into new liblxc's without crashing the container. This is achieved by keeping the commands callback struct member number identical. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits
-
Merge pull request #2062 from brauner/2017-12-25/capture_output_of_sh…
hallyn committedDec 30, 2017 …ort_lived_init_process mainloop: capture output of short-lived init procs
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
mainloop: use epoll_create1(EPOLL_CLOEXEC)
brauner committedDec 26, 2017 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
console: do not allow non-pty devices on open()
brauner committedDec 26, 2017 We don't allow non-pty devices anyway so don't let open() create unneeded files. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
start: properly cleanup mainloop
brauner committedDec 26, 2017 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
Merge pull request #2063 from marcosps/lxcconfig_help
brauner committedDec 30, 2017 lxc_config: Add -h and --help flags handler
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
lxc_config: Add -h and --help flags handler
marcosps committedDec 30, 2017 As the other tools already handle, show usage message when -h or --help are used. Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
-
mainloop: capture output of short-lived init procs
brauner committedDec 25, 2017 The handler for the signal fd will detect when the init process of a container has exited and cause the mainloop to close. However, this can happen before the console handlers - or any other events for that matter - are handled. So in the case of init exiting we still need to allow for all buffered input to the console to be handled before exiting. This allows us to capture output from short-lived init processes. This is conceptually equivalent to my implementation of ExecReaderToChannel() https://github.com/lxc/lxd/blob/master/shared/util_linux.go#L527 Closes #1694. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Dec 25, 2017 This makes it clearer why handlers return what value. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits
-
Merge pull request #2058 from brauner/2017-12-22/bugfixes
hallyn committedDec 22, 2017 start: fix death signal
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
start: handle setting death signal smarter
brauner committedDec 22, 2017 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Dec 22, 2017 On set{g,u}id() the kernel does: /* dumpability changes */ if (!uid_eq(old->euid, new->euid) || !gid_eq(old->egid, new->egid) || !uid_eq(old->fsuid, new->fsuid) || !gid_eq(old->fsgid, new->fsgid) || !cred_cap_issubset(old, new)) { if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; smp_wmb(); } which means we need to re-enable the deat signal after the set{g,u}id(). Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
Merge pull request #2057 from brauner/2017-12-22/bugfixes
hallyn committedDec 22, 2017 start: simplify cgroup namespace preservation
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits -
start: simplify cgroup namespace preservation
brauner committedDec 22, 2017 Since we are now dumpable we can open /proc/<child-pid>/ns/cgroup so let's avoid the overhead of sending around fds. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits -
brauner committed
Dec 22, 2017 When set set{u,g}id() the kernel will make us undumpable. This is unnecessary since we can guarantee that whatever is running inside the child process at this point this is fully trusted by the parent. Making us dumpable let's users use debuggers on the child process before the exec as well and also allows us to open /proc/<child-pid> files in lieu of the child. Note, that we only need to perform the prctl(PR_SET_DUMPABLE, ...) if our effective uid on the host is not 0. If our effective uid on the host is 0 then we will keep all capabilities in the child user namespace across set{g,u}id(). Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>This commit was signed with a verified signature.brauner Christian Brauner
GPG key ID: 8EB056D53EECB12D Learn about signing commits