1. When we stop a container from the lxc_cmd stop handler, we kill its
init task, then we unfreeze the container to make sure it receives the
signal. When that unfreeze succeeds, we were immediately returning 0,
without sending a response to the invoker.
2. lxc_cmd returns the length of the field received. In the case of
an lxc_cmd_stop this is 16. But a comment claims we expect no response,
only a 0. In fact the handler does send a response, which may or may
not include an error. So don't call an error just because we got back a
response.
Serge Hallyn [Wed, 18 Mar 2015 00:02:18 +0000 (19:02 -0500)]
cgmanager: put unprivileged containers under $(curcgroup)/lxc/$(container0
Currently if we are in /user.slice/user-1000.slice/session-c2.scope,
and we start an unprivileged container t1, it will be in cgroup
3:memory:/user.slice/user-1000.slice/session-c2.scope/t1. If
we then do a 'lxc-cgroup -n t1 freezer.tasks', cgm_get will
first switch to 3:memory:/user.slice/user-1000.slice/session-c2.scope
then look up 't1's values. The reasons for this are
1. cgmanager get_value is relative to your own cgroup, so we need
to be sure to be in t1's cgroup or an ancestor
2. we don't want to be in the container's cgroup bc it might freeze us.
But in Ubuntu 15.04 it was decided that
3:memory:/user.slice/user-1000.slice/session-c2.scope/tasks should
not be writeable by the user, making this fail.
Therefore put all unprivileged cgroups under "lxc/%n". That way
the "lxc" cgroup should always be owned by the user so that he can
enter.
This patch enables seccomp support for LXC containers running on PowerPC
architectures. It is based on the latest PowerPC support added to libseccomp, on
the working-ppc64 branch [1].
Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with
seccomp support has been tested on ppc and ppc64 architectures, using the
default seccomp policy example files delivered with the LXC package.
CVE-2015-1334: Don't use the container's /proc during attach
A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.
Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Mon, 2 Feb 2015 09:21:20 +0000 (11:21 +0200)]
In lxc.mount.auto, skip on ENONENT
This resolves the case where /proc/sysrq-trigger doesn't exist by simply
ignoring any mount failure on ENOENT. With the current mount list, this
will always result in a safe environment (typically the read-only
underlay).
Closes #425
v2: Don't always show an error
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Thu, 29 Jan 2015 16:09:45 +0000 (16:09 +0000)]
clone_paths: use 'rootfs' for destination directory
We were trying to be smart and use whatever the last part of
the container's rootfs path was. However for block devices
that doesn't make much sense. I.e. if lxc.rootfs = /dev/md-1,
chances are that /var/lib/lxc/c1/md-1 does not exist.
So always use the $lxcpath/$lxcname/rootfs, and if it does
not exist, try to create it.
With this, 'lxc-clone -s -o c1 -n c2' where c1 has an lvm backend
is fixed. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1414771
Serge Hallyn [Tue, 27 Jan 2015 09:29:17 +0000 (10:29 +0100)]
fix busybox unpriv
1. tty5 is not needed
2. the devices should be optional in case they didn't exist in the
host / parent-container
3. switch from 'touch $rootfs/dev/$dev' to using create=file in the
mount entry.
Patrick O'Leary [Wed, 17 Dec 2014 01:47:21 +0000 (19:47 -0600)]
replace deprecated `index` with `strchr`
The `index` libc function was removed in POSIX 2008, and `strchr` is a direct
replacement. The bionic (Android) libc has removed `index` when you are
compiling for a 64-bit architecture, such as AArch64.
Signed-off-by: Patrick O'Leary <patrick.oleary@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Michael Adam [Mon, 19 Jan 2015 21:50:58 +0000 (22:50 +0100)]
add "--mask-tmp" to lxc-fedora, plus some template script fixes]
Hi Michael,
do you have any concerns with the attached patch to
the fedora template that adds an option --mask-tmp
that prevents fedora/systemd from over-mounting
/tmp with tmpfs, which is useful in some cases?
Thanks - Michael
----- Forwarded message from Michael Adam <obnox@samba.org> -----
Date: Sat, 10 Jan 2015 13:12:06 +0100
From: Michael Adam <obnox@samba.org>
To: LXC development mailing-list <lxc-devel@lists.linuxcontainers.org>
Subject: Re: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some
template script fixes
User-Agent: Mutt/1.5.23 (2014-03-12)
On 2015-01-10 at 13:08 +0100, Michael Adam wrote:
> On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote:
>
> > The less controversial one is adding mask-tmp to the fedora template.
> > It looks fine to me, but that should go separately to mwarfield, our
> > fedora template maintainer :)
>
> I had notified mhw of my patches on irc, but apparently he is
> currently very busy.
>
> For a start, following is an update of the uncontroversial fix
> patches, i.e. the fix patche without the path ones, and without
> the mask-tmp patch.
And here comes the mask-tmp patch.
It needs to be applied onto the previous fix-patchset.
From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 8 Jan 2015 10:25:24 +0100
Subject: [PATCH] lxc-fedora: add a new option --mask-tmp
This will configure the container to prevent the standard
behaviour of over-mounting /tmp with tmpfs, which can be
undesirable in some cases.
My personal use case is vagrant-lxc in combination with
vagrant-cachier.
Signed-off-by: Michael Adam <obnox@samba.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Axel Neumann [Tue, 13 Jan 2015 09:48:52 +0000 (10:48 +0100)]
Fix instantiation of multiple vlan interfaces with same id
Container fail to start with configs (as shown below) where the same
vlan id is used for several type=vlan container interfaces.
Then, during the instantiation of the vlan interfaces, an error occurs
because the lxc code tries to assign the same temporary name to both
of them before it is bound into the container.
Serge Hallyn [Fri, 9 Jan 2015 22:00:28 +0000 (22:00 +0000)]
Fix reversed args in mount call
Riya Khanna reported that with a ramfs rootfs the mount to make
/ rprivate was returning -EFAULT. NULL was being passed as the
mount target. Pass "/" instead.
Martin Pitt [Thu, 8 Jan 2015 12:09:37 +0000 (13:09 +0100)]
apparmor: Fix slave bind mounts
The permission to make a mount "slave" is spelt "make-slave", not "slave", see
https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not
just the root dir.
Serge Hallyn [Fri, 19 Dec 2014 18:23:52 +0000 (18:23 +0000)]
Enable seccomp by default for unprivileged users.
In contrast to what the comment above the line disabling it said,
it seems to work just fine. It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Serge Hallyn [Fri, 19 Dec 2014 18:22:55 +0000 (18:22 +0000)]
seccomp: add rule to reject umount -f
If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem. This patch adds a seccomp rule to
block umount -f from a container. It also adds that rule
to the default seccomp profile.
Shuai Zhang [Sun, 30 Nov 2014 13:03:37 +0000 (21:03 +0800)]
audit: added capacity and reserve() to nlmsg
There are now two (permitted) ways to add data to netlink message:
1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
original netlink message, then write or memcpy data to that area.
Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.
And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
KATOH Yasufumi [Wed, 5 Nov 2014 07:03:34 +0000 (16:03 +0900)]
Fix clone issues
This commit fixes two issues at the time of clone:
* unnecessary directory is created when clone between overlayfs/aufs
* clone failed when the end of rootfs path is not "/rootfs"
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
KATOH Yasufumi [Thu, 30 Oct 2014 11:31:20 +0000 (20:31 +0900)]
overlayfs: overlayfs.v22 or higher needs workdir option
This patch creates workdir as "olwork", and retry mount with workdir
option when mount is failed.
It is used to prepare files before atomically swithing with
destination, and needs to be on the same filesystem as upperdir. It's
OK for it to be empty.
Serge Hallyn [Thu, 16 Oct 2014 15:10:21 +0000 (15:10 +0000)]
overlay and aufs clone_paths: be more robust
Currently when we clone a container, bdev_copy passes NULL as dst argument
of bdev_init, then sees bdev->dest (as a result) is NULL, and sets
bdev->dest to $lxcpath/$name/rootfs. so $ops->clone_paths() can
assume that "/rootfs" is at the end of the path. The overlayfs and
aufs clonepaths do assume that and index to endofstring-6 and append
delta0. Let's be more robust by actually finding the last / in
the path.
Then, instead of always setting oldbdev->dest to $lxcpath/$name/rootfs,
set it to oldbdev->src. Else dir_clonepaths fails when mounting src
onto dest bc dest does not exist. We could also fix that by creating
bdev->dest if needed, but that addes an empty directory to the old
container.
This fixes 'lxc-clone -o x1 -n x2' if x1 has lxc.rootfs = /var/lib/lxc/x1/x
and makes the overlayfs and aufs paths less fragile should something else
change.
Cameron Norman [Mon, 1 Dec 2014 21:29:26 +0000 (13:29 -0800)]
lxc-debian: adjust init system configurations
Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Antonio Terceiro [Mon, 24 Nov 2014 01:51:06 +0000 (23:51 -0200)]
lxc-debian: support systemd as PID 1
Containers with systemd need a somewhat special setup, which I borrowed
and adapted from lxc-fedora. These changes are required so that Debian 8
(jessie) containers work properly, and are a no-op for previous Debian
versions.
Signed-off-by: Antonio Terceiro <terceiro@debian.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Gu1 [Tue, 28 Oct 2014 01:14:28 +0000 (02:14 +0100)]
lxc-debian: Fix default mirrors
Fix a typo in the lines inserted in the default sources.list.
Change the default mirror to http.debian.net which is (supposedly) more
accurate and better than cdn.debian.net for a generic configuration.
Use security.debian.org directly for the {release}/updates repository.
Abin Shahab [Wed, 12 Nov 2014 00:06:52 +0000 (00:06 +0000)]
Remounts bind mounts if read-only flag is provided
Bind mounts do not honor filesystem mount options. This change will
remount filesystems that are bind mounted if there are changes to
filesystem mount options, specifically if the mount is readonly.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
projects / thirdparty / lxc.git / log
