[lxc-devel] [PATCH] lxc-busybox: Remove warning for dynamically linked Busybox
The warning has been present since commit 32b37181ea (with no purpose stated). Support for dynamically linked Busybox has been added since commit bf6cc73696. Haven't encountered any issues with dynamically linked Busybox in my last 2 years' testing. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- templates/lxc-busybox.in | 7 --- 1 file changed, 7 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index f547f9e..336fa12 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -304,13 +304,6 @@ configure_busybox() return 1 fi -file -L $(which busybox) | grep -q "statically linked" -if [ $? -ne 0 ]; then -echo "warning : busybox is not statically linked." -echo "warning : The template script may not correctly" -echo "warning : setup the container environment." -fi - # copy busybox in the rootfs cp $(which busybox) $rootfs/bin if [ $? -ne 0 ]; then -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH v2] open_without_symlink: Don't SYSERROR on something else than ELOOP
The open_without_symlink routine has been specifically created to prevent mounts with synlinks as source or destination. Keep SYSERROR'ing in that particular scenario, but leave error handling to calling functions for the other ones - e.g. optional bind mount when the source dir doesn't exist throws a nasty error. Changes since v1: - maintain errno in safe_mount when opening the mount destination fails Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/utils.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 6bee698..8e7ebbc 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1621,8 +1621,6 @@ static int open_without_symlink(const char *target, const char *prefix_skip) errno = saved_errno; if (errno == ELOOP) SYSERROR("%s in %s was a symbolic link!", nextpath, target); - else - SYSERROR("Error examining %s in %s", nextpath, target); goto out; } } @@ -1667,8 +1665,11 @@ int safe_mount(const char *src, const char *dest, const char *fstype, destfd = open_without_symlink(dest, rootfs); if (destfd < 0) { - if (srcfd != -1) + if (srcfd != -1) { + saved_errno = errno; close(srcfd); + errno = saved_errno; + } return destfd; } -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-busybox: Touch /etc/fstab in the container rootfs
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- templates/lxc-busybox.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index c020e66..f547f9e 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -330,6 +330,9 @@ configure_busybox() # relink /sbin/init ln $rootfs/bin/busybox $rootfs/sbin/init +# /etc/fstab must exist for "mount -a" +touch $rootfs/etc/fstab + # passwd exec must be setuid chmod +s $rootfs/bin/passwd touch $rootfs/etc/shadow -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] open_without_symlink: Don't SYSERROR on something else than ELOOP
The open_without_symlink routine has been specifically created to prevent mounts with synlinks as source or destination. Keep SYSERROR'ing in that particular scenario, but leave error handling to calling functions for the other ones - e.g. optional bind mount when the source dir doesn't exist throws a nasty error. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/utils.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 6bee698..2046704 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1621,8 +1621,6 @@ static int open_without_symlink(const char *target, const char *prefix_skip) errno = saved_errno; if (errno == ELOOP) SYSERROR("%s in %s was a symbolic link!", nextpath, target); - else - SYSERROR("Error examining %s in %s", nextpath, target); goto out; } } -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
The safe_mount function was introduced in order to address CVE-2015-1335, one of the vulnerabilities being a mount with a symlink for the destination path. In scenarios such as lxc-execute with no rootfs, the destination path is the host /proc, which is previously mounted by the host, and is unmounted and mounted again in a new set of namespaces, therefore eliminating the need to check for it being a symlink. Mount the rootfs normally if the rootfs is NULL, keep the safe mount only for scenarios where a different rootfs is defined. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/conf.c | 1 + src/lxc/utils.c | 10 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 632dde3..1e30c0c 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c) return 0; } +/* NOTE: not to be called from inside the container namespace! */ int tmp_proc_mount(struct lxc_conf *lxc_conf) { int mounted; diff --git a/src/lxc/utils.c b/src/lxc/utils.c index ed8c4c4..e31228d 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype, * * Returns < 0 on failure, 0 if the correct proc was already mounted * and 1 if a new proc was mounted. + * + * NOTE: not to be called from inside the container namespace! */ int mount_proc_if_needed(const char *rootfs) { @@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs) return 0; domount: - if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0) + if (!strcmp(rootfs,"")) /* rootfs is NULL */ + ret = mount("proc", path, "proc", 0, NULL); + else + ret = safe_mount("proc", path, "proc", 0, NULL, rootfs); + + if (ret < 0) return -1; + INFO("Mounted /proc in container for security transition"); return 1; } -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor
On 14.01.2016 01:09, Serge Hallyn wrote: > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com): >> On 11.01.2016 20:59, Serge Hallyn wrote: >>> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com): >>>> The safe_mount primitive will mount the fs in the new container >>>> environment by using file descriptors referred in /proc/self/fd. >>>> However, when the mounted filesystem is proc itself, it will have >>>> been previously unmounted, therefore resulting in an error when >>>> searching for these file descriptors. This only happens when there's >>>> no container rootfs prefix (commonly with lxc-execute). >>>> >>>> Implement the support for this use case as well, by doing the mount >>>> based on the full path. >>>> >>>> Refactor the whole function in order to remove duplicated code checks >>>> and improve readability. >>>> >>>> Changes since v1: >>>> - In order to address CVE-2015-1335, still check if the destination is >>>> not a symlink. Do the mount only if the destination file descriptor >>>> exists. >>>> >>>> Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> >>>> --- >>>>src/lxc/utils.c | 49 - >>>>1 file changed, 28 insertions(+), 21 deletions(-) >>>> >>>> diff --git a/src/lxc/utils.c b/src/lxc/utils.c >>>> index d9e769d..c53711a 100644 >>>> --- a/src/lxc/utils.c >>>> +++ b/src/lxc/utils.c >>>> @@ -1644,9 +1644,9 @@ out: >>>>int safe_mount(const char *src, const char *dest, const char *fstype, >>>>unsigned long flags, const void *data, const char >>>> *rootfs) >>>>{ >>>> - int srcfd = -1, destfd, ret, saved_errno; >>>> + int srcfd = -1, destfd = -1, ret = 0; >>>>char srcbuf[50], destbuf[50]; // only needs enough for >>>> /proc/self/fd/ >>>> - const char *mntsrc = src; >>>> + const char *mntsrc = src, *mntdest = dest; >>>> >>>>if (!rootfs) >>>>rootfs = ""; >>>> @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, >>>> const char *fstype, >>>>if (flags & MS_BIND && src && src[0] != '/') { >>>>INFO("this is a relative bind mount"); >>>>srcfd = open_without_symlink(src, NULL); >>>> - if (srcfd < 0) >>>> - return srcfd; >>>> + if (srcfd < 0) { >>>> + ret = srcfd; >>>> + goto out; >>>> + } >>>>ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); >>>>if (ret < 0 || ret > 50) { >>>> - close(srcfd); >>>>ERROR("Out of memory"); >>>> - return -EINVAL; >>>> + ret = -EINVAL; >>>> + goto out_src; >>>>} >>>>mntsrc = srcbuf; >>>>} >>>> >>>>destfd = open_without_symlink(dest, rootfs); >>>>if (destfd < 0) { >>>> - if (srcfd != -1) >>>> - close(srcfd); >>>> - return destfd; >>>> + ret = destfd; >>>> + goto out_src; >>>>} >>>> >>>>ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); >>>>if (ret < 0 || ret > 50) { >>>> - if (srcfd != -1) >>>> - close(srcfd); >>>> - close(destfd); >>>>ERROR("Out of memory"); >>>> - return -EINVAL; >>>> + ret = -EINVAL; >>>> + goto out_dest; >>>>} >>>> >>>> - ret = mount(mntsrc, destbuf, fstype, flags, data); >>>> - saved_errno = errno; >>>> - if (srcfd != -1) >>>> - close(srcfd); >>>> - close(destfd); >>>> + /* make sure the destination descriptor exists */ >>>> + if (access(destbuf, F_OK) == 0) >>&g
Re: [lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor
On 11.01.2016 20:59, Serge Hallyn wrote: > Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com): >> The safe_mount primitive will mount the fs in the new container >> environment by using file descriptors referred in /proc/self/fd. >> However, when the mounted filesystem is proc itself, it will have >> been previously unmounted, therefore resulting in an error when >> searching for these file descriptors. This only happens when there's >> no container rootfs prefix (commonly with lxc-execute). >> >> Implement the support for this use case as well, by doing the mount >> based on the full path. >> >> Refactor the whole function in order to remove duplicated code checks >> and improve readability. >> >> Changes since v1: >> - In order to address CVE-2015-1335, still check if the destination is >> not a symlink. Do the mount only if the destination file descriptor >> exists. >> >> Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> >> --- >> src/lxc/utils.c | 49 - >> 1 file changed, 28 insertions(+), 21 deletions(-) >> >> diff --git a/src/lxc/utils.c b/src/lxc/utils.c >> index d9e769d..c53711a 100644 >> --- a/src/lxc/utils.c >> +++ b/src/lxc/utils.c >> @@ -1644,9 +1644,9 @@ out: >> int safe_mount(const char *src, const char *dest, const char *fstype, >> unsigned long flags, const void *data, const char *rootfs) >> { >> -int srcfd = -1, destfd, ret, saved_errno; >> +int srcfd = -1, destfd = -1, ret = 0; >> char srcbuf[50], destbuf[50]; // only needs enough for >> /proc/self/fd/ >> -const char *mntsrc = src; >> +const char *mntsrc = src, *mntdest = dest; >> >> if (!rootfs) >> rootfs = ""; >> @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, >> const char *fstype, >> if (flags & MS_BIND && src && src[0] != '/') { >> INFO("this is a relative bind mount"); >> srcfd = open_without_symlink(src, NULL); >> -if (srcfd < 0) >> -return srcfd; >> +if (srcfd < 0) { >> +ret = srcfd; >> +goto out; >> +} >> ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); >> if (ret < 0 || ret > 50) { >> -close(srcfd); >> ERROR("Out of memory"); >> -return -EINVAL; >> +ret = -EINVAL; >> +goto out_src; >> } >> mntsrc = srcbuf; >> } >> >> destfd = open_without_symlink(dest, rootfs); >> if (destfd < 0) { >> -if (srcfd != -1) >> -close(srcfd); >> -return destfd; >> +ret = destfd; >> +goto out_src; >> } >> >> ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); >> if (ret < 0 || ret > 50) { >> -if (srcfd != -1) >> -close(srcfd); >> -close(destfd); >> ERROR("Out of memory"); >> -return -EINVAL; >> +ret = -EINVAL; >> +goto out_dest; >> } >> >> -ret = mount(mntsrc, destbuf, fstype, flags, data); >> -saved_errno = errno; >> -if (srcfd != -1) >> -close(srcfd); >> -close(destfd); >> +/* make sure the destination descriptor exists */ >> +if (access(destbuf, F_OK) == 0) >> +mntdest = destbuf; > First, if we're going to shortcut I'd prefer to say "if /proc/self > does not exist then skip this check" fo rnow. > But can we think of any way to still do this check? > > What exactly are the cases? > > 1. lxc-execute, lxc-init tries to mount /proc. We should be able > to simply have lxc always mount /proc before the pivot_root, so > we can properly do this check. > > what use-cases will break if we demand /proc to exist in the > container? (We can add an option to umount /proc in lxc-init, > but the directory would have to exist) That's my use case - the failing function is tmp_proc_mount, thus happening before pivot_root, and the scenario is running an application container with lxc-execute. This calls mount_proc_if_needed which is bound to fail, since it will first unmount /proc (because after
[lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor
The safe_mount primitive will mount the fs in the new container environment by using file descriptors referred in /proc/self/fd. However, when the mounted filesystem is proc itself, it will have been previously unmounted, therefore resulting in an error when searching for these file descriptors. This only happens when there's no container rootfs prefix (commonly with lxc-execute). Implement the support for this use case as well, by doing the mount based on the full path. Refactor the whole function in order to remove duplicated code checks and improve readability. Changes since v1: - In order to address CVE-2015-1335, still check if the destination is not a symlink. Do the mount only if the destination file descriptor exists. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/utils.c | 49 - 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index d9e769d..c53711a 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1644,9 +1644,9 @@ out: int safe_mount(const char *src, const char *dest, const char *fstype, unsigned long flags, const void *data, const char *rootfs) { - int srcfd = -1, destfd, ret, saved_errno; + int srcfd = -1, destfd = -1, ret = 0; char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ - const char *mntsrc = src; + const char *mntsrc = src, *mntdest = dest; if (!rootfs) rootfs = ""; @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, const char *fstype, if (flags & MS_BIND && src && src[0] != '/') { INFO("this is a relative bind mount"); srcfd = open_without_symlink(src, NULL); - if (srcfd < 0) - return srcfd; + if (srcfd < 0) { + ret = srcfd; + goto out; + } ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); if (ret < 0 || ret > 50) { - close(srcfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_src; } mntsrc = srcbuf; } destfd = open_without_symlink(dest, rootfs); if (destfd < 0) { - if (srcfd != -1) - close(srcfd); - return destfd; + ret = destfd; + goto out_src; } ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); if (ret < 0 || ret > 50) { - if (srcfd != -1) - close(srcfd); - close(destfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_dest; } - ret = mount(mntsrc, destbuf, fstype, flags, data); - saved_errno = errno; - if (srcfd != -1) - close(srcfd); - close(destfd); + /* make sure the destination descriptor exists */ + if (access(destbuf, F_OK) == 0) + mntdest = destbuf; + + ret = mount(mntsrc, mntdest, fstype, flags, data); if (ret < 0) { - errno = saved_errno; SYSERROR("Failed to mount %s onto %s", src, dest); - return ret; + goto out_dest; } - return 0; + ret = 0; + +out_dest: + if (destfd > 0) + close(destfd); +out_src: + if (srcfd > 0) + close(srcfd); +out: + return ret; } /* -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] safe_mount: Handle mounting proc and refactor
The safe_mount primitive will mount the fs in the new container environment by using file descriptors referred in /proc/self/fd. However, when the mounted filesystem is proc itself, it will have been previously unmounted, therefore resulting in an error when searching for these file descriptors. This only happens when there's no container rootfs prefix (commonly with lxc-execute). Implement the support for this use case as well, by doing the mount based on the full path. Refactor the whole function in order to remove duplicated code checks and improve readability. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/utils.c | 53 - 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 8fa7e6b..f080a18 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1638,56 +1638,67 @@ out: int safe_mount(const char *src, const char *dest, const char *fstype, unsigned long flags, const void *data, const char *rootfs) { - int srcfd = -1, destfd, ret, saved_errno; + int srcfd = -1, destfd = -1, ret = 0; char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ - const char *mntsrc = src; + const char *mntsrc = src, *mntdest = dest; if (!rootfs) rootfs = ""; + /* in case we're mounting /proc w/o a rootfs path, it has previously been +* unmounted, therefore /proc/self/fd entries no longer exist */ + if (strlen(rootfs) == 0 && !strncmp(fstype, "proc", 4)) + goto do_mount; + /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ if (flags & MS_BIND && src && src[0] != '/') { INFO("this is a relative bind mount"); srcfd = open_without_symlink(src, NULL); - if (srcfd < 0) - return srcfd; + if (srcfd < 0) { + ret = srcfd; + goto out; + } ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); if (ret < 0 || ret > 50) { - close(srcfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_src; } mntsrc = srcbuf; } destfd = open_without_symlink(dest, rootfs); if (destfd < 0) { - if (srcfd != -1) - close(srcfd); - return destfd; + ret = destfd; + goto out_src; } ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); if (ret < 0 || ret > 50) { - if (srcfd != -1) - close(srcfd); - close(destfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_dest; } - ret = mount(mntsrc, destbuf, fstype, flags, data); - saved_errno = errno; - if (srcfd != -1) - close(srcfd); - close(destfd); + mntdest = destbuf; + +do_mount: + ret = mount(mntsrc, mntdest, fstype, flags, data); if (ret < 0) { - errno = saved_errno; SYSERROR("Failed to mount %s onto %s", src, dest); - return ret; + goto out_dest; } - return 0; + ret = 0; + +out_dest: + if (destfd > 0) + close(destfd); +out_src: + if (srcfd > 0) + close(srcfd); +out: + return ret; } /* -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] open_without_symlink: Account when prefix is empty string
In the current implementation, the open_without_symlink function will default to opening the root mount only if the passed rootfs prefix is null. It doesn't account for the case where this prefix is passed as an empty string. Properly handle this second case as well. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index ad9b0a2..8fa7e6b 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1570,7 +1570,7 @@ static int open_without_symlink(const char *target, const char *prefix_skip) fulllen = strlen(target); /* make sure prefix-skip makes sense */ - if (prefix_skip) { + if (prefix_skip && strlen(prefix_skip) > 0) { curlen = strlen(prefix_skip); if (!is_subdir(target, prefix_skip, curlen)) { ERROR("WHOA there - target '%s' didn't start with prefix '%s'", -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
When running application containers with lxc-execute, /dev is populated only with device entries. Since /dev is a tmpfs mount in the container environment, the /dev/shm folder not being present is not a sufficient reason for the /dev/shm mount to fail. Create the /dev/shm directory if not present. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com> --- src/lxc/initutils.c | 4 1 file changed, 4 insertions(+) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c index 45df60f..8d9016c 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c @@ -47,6 +47,10 @@ extern void lxc_setup_fs(void) if (mount_fs("proc", "/proc", "proc")) INFO("failed to remount proc"); + /* if /dev has been populated by us, /dev/shm does not exist */ + if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777)) + INFO("failed to create /dev/shm"); + /* if we can't mount /dev/shm, continue anyway */ if (mount_fs("shmfs", "/dev/shm", "tmpfs")) INFO("failed to mount /dev/shm"); -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] seccomp: add aarch64 support
Enable aarch64 seccomp support for LXC containers running on ARM64 architectures. Tested with libseccomp 2.2.0 and the default seccomp policy example files delivered with the LXC package. Signed-off-by: Bogdan Purcareata <bogdan.purcare...@freescale.com> --- src/lxc/seccomp.c | 16 1 file changed, 16 insertions(+) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 6e61766..27f0ba9 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -120,6 +120,7 @@ enum lxc_hostarch_t { lxc_seccomp_arch_i386, lxc_seccomp_arch_amd64, lxc_seccomp_arch_arm, + lxc_seccomp_arch_arm64, lxc_seccomp_arch_ppc64, lxc_seccomp_arch_ppc64le, lxc_seccomp_arch_ppc, @@ -139,6 +140,8 @@ int get_hostarch(void) return lxc_seccomp_arch_amd64; else if (strncmp(uts.machine, "armv7", 5) == 0) return lxc_seccomp_arch_arm; + else if (strncmp(uts.machine, "aarch64", 7) == 0) + return lxc_seccomp_arch_arm64; else if (strncmp(uts.machine, "ppc64le", 7) == 0) return lxc_seccomp_arch_ppc64le; else if (strncmp(uts.machine, "ppc64", 5) == 0) @@ -158,6 +161,9 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break; case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break; case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break; +#ifdef SCMP_ARCH_AARCH64 + case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break; +#endif #ifdef SCMP_ARCH_PPC64LE case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break; #endif @@ -348,6 +354,16 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) cur_rule_arch = lxc_seccomp_arch_arm; } #endif +#ifdef SCMP_ARCH_AARCH64 + else if (strcmp(line, "[arm64]") == 0 || + strcmp(line, "[ARM64]") == 0) { + if (native_arch != lxc_seccomp_arch_arm64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_arm64; + } +#endif #ifdef SCMP_ARCH_PPC64LE else if (strcmp(line, "[ppc64le]") == 0 || strcmp(line, "[PPC64LE]") == 0) { -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH v2 1/2] lxc-busybox: make some OpenSSH tools optional
Currently, when installing OpenSSH in a Busybox container, the template searches for all the OpenSSH client binaries available in the Debian distro package. The included tools might differ from distro to distro, so make part of the tools optional. The mandatory tools, without which installing OpenSSH fails, are sshd for the server and ssh and scp for the client. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 9 + 1 file changed, 9 insertions(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 95961a3..17a3006 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -197,6 +197,8 @@ install_openssh() client_utils=\ ssh \ scp \ + +client_optional_utils=\ sftp \ ssh-add \ ssh-agent \ @@ -230,6 +232,13 @@ $rootfs/var/run/sshd \ fi done +for bin in $client_optional_utils; do +tool_path=`which $bin` +if [ $? -eq 0 ]; then +cp $tool_path $rootfs/$tool_path +fi +done + # add user and group cat EOF $rootfs/etc/passwd sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH v2 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container
On certain systems, some binaries needed by the container features (dropbear, openssh), may be placed in non-standard (aka non-distribution-managed locations), such as /usr/local/*, /opt/local/*, etc. Don't copy the respective binaries in the container and return a clear error why. The user should only use these binaries if they are installed at system-wide locations on the host, such as /{s,}bin or /usr/{s,}bin. v2: - check that binary paths adhere to /{,usr/}{,s}bin only Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 43 --- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 17a3006..c020e66 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -38,6 +38,31 @@ am_in_userns() { in_userns=0 [ $(am_in_userns) = yes ] in_userns=1 +copy_binary() +{ +binary_path=`which $1` +if [ $? -ne 0 ]; then +echo Unable to find $1 binary on the system +return 1 +fi + +dir_path=${binary_path%/*} +echo /{,usr/}{,s}bin | grep $dir_path /dev/null 21 +if [ $? -ne 0 ]; then +echo Binary $1 is located at $binary_path and will not be copied +echo ($dir_path not supported) +return 1 +fi + +cp $binary_path $rootfs/$binary_path +if [ $? -ne 0 ]; then +echo Failed to copy $binary_path to rootfs +return 1 +fi + +return 0 +} + install_busybox() { rootfs=$1 @@ -164,11 +189,7 @@ EOF install_dropbear() { # copy dropbear binary -cp $(which dropbear) $rootfs/usr/sbin -if [ $? -ne 0 ]; then -echo Failed to copy dropbear in the rootfs -return 1 -fi +copy_binary dropbear || return 1 # make symlinks to various ssh utilities utils=\ @@ -224,19 +245,11 @@ $rootfs/var/run/sshd \ # copy binaries for bin in $server_utils $client_utils; do -tool_path=`which $bin` -cp $tool_path $rootfs/$tool_path -if [ $? -ne 0 ]; then -echo Unable to copy $tool_path in the rootfs -return 1 -fi +copy_binary $bin || return 1 done for bin in $client_optional_utils; do -tool_path=`which $bin` -if [ $? -eq 0 ]; then -cp $tool_path $rootfs/$tool_path -fi +tool_path=`which $bin` copy_binary $bin done # add user and group -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container
On some systems, some binaries needed by the container features (dropbear, openssh), may be placed in /usr/local/* directories. Since semantically they are destined for the local machine only, and it can further imply the associated libraries are also available in /usr/local/lib* directories, prevent them from being copied in the container rootfs. The user should only use these binaries if they are installed at system-wide locations on the host, such as /{s,}bin or /usr/{s,}bin. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 42 +++--- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 4f27bd8..6cd570a 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -38,6 +38,30 @@ am_in_userns() { in_userns=0 [ $(am_in_userns) = yes ] in_userns=1 +copy_binary() +{ +binary_path=`which $1` +if [ $? -ne 0 ]; then +echo Unable to find $1 binary on the system +return 1 +fi + +echo $binary_path | grep /usr/local /dev/null 21 +if [ $? -eq 0 ]; then +echo Binary $1 is located at $binary_path and will not be copied +echo (/usr/local path not supported) +return 1 +fi + +cp $binary_path $rootfs/$binary_path +if [ $? -ne 0 ]; then +echo Failed to copy $binary_path to rootfs +return 1 +fi + +return 0 +} + install_busybox() { rootfs=$1 @@ -172,11 +196,7 @@ EOF install_dropbear() { # copy dropbear binary -cp $(which dropbear) $rootfs/usr/sbin -if [ $? -ne 0 ]; then -echo Failed to copy dropbear in the rootfs -return 1 -fi +copy_binary dropbear || return 1 # make symlinks to various ssh utilities utils=\ @@ -232,19 +252,11 @@ $rootfs/var/run/sshd \ # copy binaries for bin in $server_utils $client_utils; do -tool_path=`which $bin` -cp $tool_path $rootfs/$tool_path -if [ $? -ne 0 ]; then -echo Unable to copy $tool_path in the rootfs -return 1 -fi +copy_binary $bin || return 1 done for bin in $client_optional_utils; do -tool_path=`which $bin` -if [ $? -eq 0 ]; then -cp $tool_path $rootfs/$tool_path -fi +tool_path=`which $bin` copy_binary $bin done # add user and group -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 1/2] lxc-busybox: make some OpenSSH tools optional
Currently, when installing OpenSSH in a Busybox container, the template searches for all the OpenSSH client binaries available in the Debian distro package. The included tools might differ from distro to distro, so make part of the tools optional. The mandatory tools, without which installing OpenSSH fails, are sshd for the server and ssh and scp for the client. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 9 + 1 file changed, 9 insertions(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 37ec837..4f27bd8 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -205,6 +205,8 @@ install_openssh() client_utils=\ ssh \ scp \ + +client_optional_utils=\ sftp \ ssh-add \ ssh-agent \ @@ -238,6 +240,13 @@ $rootfs/var/run/sshd \ fi done +for bin in $client_optional_utils; do +tool_path=`which $bin` +if [ $? -eq 0 ]; then +cp $tool_path $rootfs/$tool_path +fi +done + # add user and group cat EOF $rootfs/etc/passwd sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-busybox: make some OpenSSH tools optional
Currently, when installing OpenSSH in a Busybox container, the template searches for all the OpenSSH client binaries available in the Debian distro package. The included tools might differ from distro to distro, so make part of the tools optional. The mandatory tools, without which installing OpenSSH fails, are sshd for the server and ssh and scp for the client. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 9 + 1 file changed, 9 insertions(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 95961a3..17a3006 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -197,6 +197,8 @@ install_openssh() client_utils=\ ssh \ scp \ + +client_optional_utils=\ sftp \ ssh-add \ ssh-agent \ @@ -230,6 +232,13 @@ $rootfs/var/run/sshd \ fi done +for bin in $client_optional_utils; do +tool_path=`which $bin` +if [ $? -eq 0 ]; then +cp $tool_path $rootfs/$tool_path +fi +done + # add user and group cat EOF $rootfs/etc/passwd sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH v2] seccomp: add ppc support
This patch enables seccomp support for LXC containers running on PowerPC architectures. It is based on the latest PowerPC support added to libseccomp, on the working-ppc64 branch [1]. Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with seccomp support has been tested on ppc and ppc64 architectures, using the default seccomp policy example files delivered with the LXC package. [1] https://github.com/seccomp/libseccomp/commits/working-ppc64 v2: - add #ifdefs in get_new_ctx to fix builds on systems not having SCMP_ARCH_PPC* defined Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- src/lxc/seccomp.c | 48 1 file changed, 48 insertions(+) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 3ba6c9a..108faa0 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -121,6 +121,9 @@ enum lxc_hostarch_t { lxc_seccomp_arch_i386, lxc_seccomp_arch_amd64, lxc_seccomp_arch_arm, + lxc_seccomp_arch_ppc64, + lxc_seccomp_arch_ppc64le, + lxc_seccomp_arch_ppc, lxc_seccomp_arch_unknown = 999, }; @@ -137,6 +140,12 @@ int get_hostarch(void) return lxc_seccomp_arch_amd64; else if (strncmp(uts.machine, armv7, 5) == 0) return lxc_seccomp_arch_arm; + else if (strncmp(uts.machine, ppc64le, 7) == 0) + return lxc_seccomp_arch_ppc64le; + else if (strncmp(uts.machine, ppc64, 5) == 0) + return lxc_seccomp_arch_ppc64; + else if (strncmp(uts.machine, ppc, 3) == 0) + return lxc_seccomp_arch_ppc; return lxc_seccomp_arch_unknown; } @@ -150,6 +159,15 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break; case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break; case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break; +#ifdef SCMP_ARCH_PPC64LE + case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break; +#endif +#ifdef SCMP_ARCH_PPC64 + case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break; +#endif +#ifdef SCMP_ARCH_PPC + case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break; +#endif default: return NULL; } @@ -343,6 +361,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) cur_rule_arch = lxc_seccomp_arch_arm; } #endif +#ifdef SCMP_ARCH_PPC64LE + else if (strcmp(line, [ppc64le]) == 0 || + strcmp(line, [PPC64LE]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc64le) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc64le; + } +#endif +#ifdef SCMP_ARCH_PPC64 + else if (strcmp(line, [ppc64]) == 0 || + strcmp(line, [PPC64]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc64; + } +#endif +#ifdef SCMP_ARCH_PPC + else if (strcmp(line, [ppc]) == 0 || + strcmp(line, [PPC]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc; + } +#endif else goto bad_arch; -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] seccomp: add ppc support
This patch enables seccomp support for LXC containers running on PowerPC architectures. It is based on the latest PowerPC support added to libseccomp, on the working-ppc64 branch [1]. Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with seccomp support has been tested on ppc and ppc64 architectures, using the default seccomp policy example files delivered with the LXC package. [1] https://github.com/seccomp/libseccomp/commits/working-ppc64 Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- src/lxc/seccomp.c | 42 ++ 1 file changed, 42 insertions(+) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 3ba6c9a..0e2310f 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -121,6 +121,9 @@ enum lxc_hostarch_t { lxc_seccomp_arch_i386, lxc_seccomp_arch_amd64, lxc_seccomp_arch_arm, + lxc_seccomp_arch_ppc64, + lxc_seccomp_arch_ppc64le, + lxc_seccomp_arch_ppc, lxc_seccomp_arch_unknown = 999, }; @@ -137,6 +140,12 @@ int get_hostarch(void) return lxc_seccomp_arch_amd64; else if (strncmp(uts.machine, armv7, 5) == 0) return lxc_seccomp_arch_arm; + else if (strncmp(uts.machine, ppc64le, 7) == 0) + return lxc_seccomp_arch_ppc64le; + else if (strncmp(uts.machine, ppc64, 5) == 0) + return lxc_seccomp_arch_ppc64; + else if (strncmp(uts.machine, ppc, 3) == 0) + return lxc_seccomp_arch_ppc; return lxc_seccomp_arch_unknown; } @@ -150,6 +159,9 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break; case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break; case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break; + case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break; + case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break; + case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break; default: return NULL; } @@ -343,6 +355,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) cur_rule_arch = lxc_seccomp_arch_arm; } #endif +#ifdef SCMP_ARCH_PPC64LE + else if (strcmp(line, [ppc64le]) == 0 || + strcmp(line, [PPC64LE]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc64le) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc64le; + } +#endif +#ifdef SCMP_ARCH_PPC64 + else if (strcmp(line, [ppc64]) == 0 || + strcmp(line, [PPC64]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc64) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc64; + } +#endif +#ifdef SCMP_ARCH_PPC + else if (strcmp(line, [ppc]) == 0 || + strcmp(line, [PPC]) == 0) { + if (native_arch != lxc_seccomp_arch_ppc) { + cur_rule_arch = lxc_seccomp_arch_unknown; + continue; + } + cur_rule_arch = lxc_seccomp_arch_ppc; + } +#endif else goto bad_arch; -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 3/3] lxc-busybox: use lxc.rebootsignal = SIGTERM
Otherwise lxc-stop -r has no effect on the container. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 72531d6..7e05bd6 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -270,6 +270,7 @@ copy_configuration() grep -q ^lxc.rootfs $path/config 2/dev/null || echo lxc.rootfs = $rootfs $path/config cat EOF $path/config lxc.haltsignal = SIGUSR1 +lxc.rebootsignal = SIGTERM lxc.utsname = $name lxc.tty = 1 lxc.pts = 1 -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 0/3] Add lxc.rebootsignal and apply to Busybox template
Following the model of lxc.haltsignal and lxc.stopsignal, implement a lxc.rebootsignal option for a customized reboot signal. Required for Busybox containers, since Busybox init expects SIGTERM to reboot the container [1]. Sending SIGINT to a Busybox running container has no effect. Sent against upstream master. [1] http://git.busybox.net/busybox/tree/init/init.c#n807 Bogdan Purcareata (3): add lxc.rebootsignal document lxc.rebootsignal lxc-busybox: use lxc.rebootsignal = SIGTERM doc/lxc-stop.sgml.in | 4 +- doc/lxc.container.conf.sgml.in | 106 + src/lxc/conf.h | 1 + src/lxc/confile.c | 14 ++ src/lxc/lxccontainer.c | 5 +- templates/lxc-busybox.in | 1 + 6 files changed, 87 insertions(+), 44 deletions(-) -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 2/3] document lxc.rebootsignal
Also fix some minor indentation mishaps since we're here. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- doc/lxc-stop.sgml.in | 4 +- doc/lxc.container.conf.sgml.in | 106 + 2 files changed, 67 insertions(+), 43 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index bc5e6a8..3c69fed 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -70,7 +70,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA the container's init process, waiting up to 60 seconds for the container to exit, and then returning. If the container fails to cleanly exit in 60 seconds, it will be sent the commandlxc.stopsignal/command - (defaults to SIGKILL) to force it to shut down. + (defaults to SIGKILL) to force it to shut down. A request to reboot will + send the commandlxc.rebootsignal/command (defaults to SIGINT) to the + container's init process. /para para The optional-W/optional, optional-r/optional, diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index 50c6a2a..aceeb1e 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -158,46 +158,68 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA refsect2 titleHalt signal/title para -Allows one to specify signal name or number, sent by lxc-stop to the -container's init process to cleanly shutdown the container. Different -init systems could use different signals to perform clean shutdown -sequence. This option allows the signal to be specified in kill(1) -fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The -default signal is SIGPWR. +Allows one to specify signal name or number, sent by lxc-stop to the +container's init process to cleanly shutdown the container. Different +init systems could use different signals to perform clean shutdown +sequence. This option allows the signal to be specified in kill(1) +fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The +default signal is SIGPWR. /para variablelist -varlistentry - term -optionlxc.haltsignal/option - /term - listitem -para - specify the signal used to halt the container -/para - /listitem -/varlistentry +varlistentry + term +optionlxc.haltsignal/option + /term + listitem +para + specify the signal used to halt the container +/para + /listitem +/varlistentry + /variablelist +/refsect2 + +refsect2 + titleReboot signal/title + para +Allows one to specify signal name or number, sent by lxc-stop to +reboot the container. This option allows signal to be specified in +kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. +The default signal is SIGINT. + /para + variablelist +varlistentry + term +optionlxc.rebootsignal/option + /term + listitem +para + specify the signal used to reboot the container +/para + /listitem +/varlistentry /variablelist /refsect2 refsect2 titleStop signal/title para -Allows one to specify signal name or number, sent by lxc-stop to forcibly -shutdown the container. This option allows signal to be specified in -kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. -The default signal is SIGKILL. - /para - variablelist -varlistentry - term -optionlxc.stopsignal/option - /term - listitem -para - specify the signal used to stop the container -/para - /listitem -/varlistentry +Allows one to specify signal name or number, sent by lxc-stop to forcibly +shutdown the container. This option allows signal to be specified in +kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. +The default signal is SIGKILL. + /para + variablelist +varlistentry + term +optionlxc.stopsignal/option + /term + listitem +para + specify the signal used to stop the container +/para + /listitem +/varlistentry /variablelist /refsect2 @@ -211,16 +233,16 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Defaults to: /sbin/init /para variablelist -varlistentry - term -optionlxc.init_cmd/option - /term - listitem -para - Absolute path from container rootfs to the binary to use
[lxc-devel] [PATCH 1/2] busybox template: support for unprivileged containers
Apply the changes found in templates/lxc-download to the busybox template as well. Change ownership of the config and fstab files to the unprivileged user, and the ownership of the rootfs to root in the new user namespace. Eliminate the unsupported for userns flag. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 36 ++-- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 246e743..ca2dd43 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -20,15 +20,8 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -# Detect use under userns (unsupported) -for arg in $@; do -[ $arg = -- ] break -if [ $arg = --mapped-uid -o $arg = --mapped-gid ]; then -echo This template can't be used for unprivileged containers. 12 -echo You may want to try the \download\ template instead. 12 -exit 1 -fi -done +LXC_MAPPED_UID= +LXC_MAPPED_GID= # Make sure the usual locations are in PATH export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin @@ -310,6 +303,21 @@ EOF echo lxc.mount.auto = proc:mixed sys $path/config } +remap_userns() +{ +path=$1 + +if [ -n $LXC_MAPPED_UID ] [ $LXC_MAPPED_UID != -1 ]; then +chown $LXC_MAPPED_UID $path/config $path/fstab /dev/null 21 +chown -R root $path/rootfs /dev/null 21 +fi + +if [ -n $LXC_MAPPED_GID ] [ $LXC_MAPPED_GID != -1 ]; then +chgrp $LXC_MAPPED_GID $path/config $path/fstab /dev/null 21 +chgrp -R root $path/rootfs /dev/null 21 +fi +} + usage() { cat EOF @@ -318,7 +326,7 @@ EOF return 0 } -options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- $@) +options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- $@) if [ $? -ne 0 ]; then usage $(basename $0) exit 1 @@ -332,6 +340,8 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; +--mapped-uid) LXC_MAPPED_UID=$2; shift 2;; +--mapped-gid) LXC_MAPPED_GID=$2; shift 2;; --) shift 1; break ;; *) break ;; esac @@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then echo failed to write configuration file exit 1 fi + +remap_userns $path +if [ $? -ne 0 ]; then +echo failed to remap files to user +exit 1 +fi -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 0/2] busybox template: enable to use with unpriv containers
Since Busybox containers are built using components on the host system, there's no real need to rely on lxc-download to initialize a specific pre-built rootfs. There is no maintained Busybox rootfs anyway, and the present template requires minor tweaks to work with user namespaces as well. Complete the previously started support for user namespaces and eliminate the initial fail if in userns check. Also add an entry in the container config to do the corresponding bind-mounts for the tty devices. Bogdan Purcareata (2): busybox template: support for unprivileged containers busybox template: mount fstab when available templates/lxc-busybox.in | 40 ++-- 1 file changed, 30 insertions(+), 10 deletions(-) -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 2/2] busybox template: mount fstab when available
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts for the ttys and other devices. Add this entry in the container config. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 4 1 file changed, 4 insertions(+) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index ca2dd43..ee54a7a 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -301,6 +301,10 @@ EOF done echo lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0 $path/config echo lxc.mount.auto = proc:mixed sys $path/config + +if [ -f $path/fstab ]; then +echo lxc.mount = $path/fstab $path/config +fi } remap_userns() -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] config_network_type: set macvlan default mode to private
If a default mode is not set, the container requires an explicit mode specified in the config file, otherwise creating the container fails. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- src/lxc/confile.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lxc/confile.c b/src/lxc/confile.c index d6cf151..90fb344 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -303,6 +303,8 @@ out: return ret; } +static int macvlan_mode(int *valuep, const char *value); + static int config_network_type(const char *key, const char *value, struct lxc_conf *lxc_conf) { @@ -337,8 +339,10 @@ static int config_network_type(const char *key, const char *value, if (!strcmp(value, veth)) netdev-type = LXC_NET_VETH; - else if (!strcmp(value, macvlan)) + else if (!strcmp(value, macvlan)) { netdev-type = LXC_NET_MACVLAN; + macvlan_mode(netdev-priv.macvlan_attr.mode, private); + } else if (!strcmp(value, vlan)) netdev-type = LXC_NET_VLAN; else if (!strcmp(value, phys)) -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] network.c: Add missing LXC_NET_NONE option + refactor
Add LXC_NET_NONE to known lxc_network_types, so parsing a config file with lxc.network.type = none does not result in failure (e.g. doc/examples/lxc-no-netns.conf). Options have also been reordered to match the enum in conf.h. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- src/lxc/network.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lxc/network.c b/src/lxc/network.c index 090b9bd..a9900de 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c @@ -1202,11 +1202,12 @@ int lxc_bridge_attach(const char *bridge, const char *ifname) } static const char* const lxc_network_types[LXC_NET_MAXCONFTYPE + 1] = { + [LXC_NET_EMPTY] = empty, [LXC_NET_VETH]= veth, [LXC_NET_MACVLAN] = macvlan, - [LXC_NET_VLAN]= vlan, [LXC_NET_PHYS]= phys, - [LXC_NET_EMPTY] = empty, + [LXC_NET_VLAN]= vlan, + [LXC_NET_NONE]= none, }; const char *lxc_net_type_to_str(int type) -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-busybox: follow symlinks when inspecting busybox binary
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index e5a512a..246e743 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -187,7 +187,7 @@ configure_busybox() return 1 fi -file $(which busybox) | grep -q statically linked +file -L $(which busybox) | grep -q statically linked if [ $? -ne 0 ]; then echo warning : busybox is not statically linked. echo warning : The template script may not correctly -- 1.9.rc1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] use susv3 head arguments
Without enabling INCLUDE_SUSv2 in busybox, we need to use head's -n argument, rather than -#. Signed-off-by: Christopher Larson kerg...@gmail.com --- src/lxc/lxc-checkconfig.in | 2 +- src/tests/lxc-test-ubuntu | 2 +- templates/lxc-alpine.in| 2 +- templates/lxc-oracle.in| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/lxc-checkconfig.in b/src/lxc/lxc-checkconfig.in index b49e76e..5e35a81 100644 --- a/src/lxc/lxc-checkconfig.in +++ b/src/lxc/lxc-checkconfig.in @@ -77,7 +77,7 @@ print_cgroups() { awk '$1 !~ /#/ $3 == mp { print $2; } ; END { exit(0); } ' mp=$1 $2 ; } -CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -1` +CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -n 1` KVER_MAJOR=$($GREP '^# Linux' $CONFIG | \ sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/') if [ $KVER_MAJOR = 2 ]; then diff --git a/src/tests/lxc-test-ubuntu b/src/tests/lxc-test-ubuntu index be69eec..01eb056 100755 --- a/src/tests/lxc-test-ubuntu +++ b/src/tests/lxc-test-ubuntu @@ -59,7 +59,7 @@ for template in ubuntu ubuntu-cloud; do lxc-wait -n $name -s RUNNING || FAIL waiting for $template container to run for tries in `seq 1 20`; do - lxcip=$(lxc-info -i -n $name -H | head -1) + lxcip=$(lxc-info -i -n $name -H | head -n 1) [ -z $lxcip ] || break sleep 1 done diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index ec6b802..70da08d 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -189,7 +189,7 @@ EOF if [ $nics -eq 1 ] ! grep -q ^lxc.network.hwaddr $path/config; then # see http://sourceforge.net/tracker/?func=detailaid=3411497group_id=163076atid=826303 hwaddr=fe:$(dd if=/dev/urandom bs=8 count=1 2/dev/null |od -t x8 | \ - head -1 |awk '{print $2}' | cut -c1-10 |\ + head -n 1 |awk '{print $2}' | cut -c1-10 |\ sed 's/\(..\)/\1:/g; s/.$//') echo lxc.network.hwaddr = $hwaddr $path/config fi diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 80c2df2..40fe5c0 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -382,7 +382,7 @@ container_config_create() # generate a hwaddr for the container with a high mac address # see http://sourceforge.net/tracker/?func=detailaid=3411497group_id=163076atid=826303 local hwaddr=fe:`dd if=/dev/urandom bs=8 count=1 2/dev/null |od -t x8 | \ - head -1 |awk '{print $2}' | cut -c1-10 |\ + head -n 1 |awk '{print $2}' | cut -c1-10 |\ sed 's/\(..\)/\1:/g; s/.$//'` cat EOF $cfg_dir/config || die unable to create $cfg_dir/config # Container configuration for Oracle Linux $container_release_major.$container_release_minor -- 1.8.5.3 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] use susv3 head arguments
Without enabling INCLUDE_SUSv2 in busybox, we need to use head's -n argument, rather than -#. Signed-off-by: Christopher Larson kerg...@gmail.com --- src/lxc/lxc-checkconfig.in | 2 +- src/tests/lxc-test-ubuntu | 2 +- templates/lxc-alpine.in| 2 +- templates/lxc-oracle.in| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/lxc-checkconfig.in b/src/lxc/lxc-checkconfig.in index b49e76e..5e35a81 100644 --- a/src/lxc/lxc-checkconfig.in +++ b/src/lxc/lxc-checkconfig.in @@ -77,7 +77,7 @@ print_cgroups() { awk '$1 !~ /#/ $3 == mp { print $2; } ; END { exit(0); } ' mp=$1 $2 ; } -CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -1` +CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -n 1` KVER_MAJOR=$($GREP '^# Linux' $CONFIG | \ sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/') if [ $KVER_MAJOR = 2 ]; then diff --git a/src/tests/lxc-test-ubuntu b/src/tests/lxc-test-ubuntu index be69eec..01eb056 100755 --- a/src/tests/lxc-test-ubuntu +++ b/src/tests/lxc-test-ubuntu @@ -59,7 +59,7 @@ for template in ubuntu ubuntu-cloud; do lxc-wait -n $name -s RUNNING || FAIL waiting for $template container to run for tries in `seq 1 20`; do - lxcip=$(lxc-info -i -n $name -H | head -1) + lxcip=$(lxc-info -i -n $name -H | head -n 1) [ -z $lxcip ] || break sleep 1 done diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index ec6b802..70da08d 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -189,7 +189,7 @@ EOF if [ $nics -eq 1 ] ! grep -q ^lxc.network.hwaddr $path/config; then # see http://sourceforge.net/tracker/?func=detailaid=3411497group_id=163076atid=826303 hwaddr=fe:$(dd if=/dev/urandom bs=8 count=1 2/dev/null |od -t x8 | \ - head -1 |awk '{print $2}' | cut -c1-10 |\ + head -n 1 |awk '{print $2}' | cut -c1-10 |\ sed 's/\(..\)/\1:/g; s/.$//') echo lxc.network.hwaddr = $hwaddr $path/config fi diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 80c2df2..40fe5c0 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -382,7 +382,7 @@ container_config_create() # generate a hwaddr for the container with a high mac address # see http://sourceforge.net/tracker/?func=detailaid=3411497group_id=163076atid=826303 local hwaddr=fe:`dd if=/dev/urandom bs=8 count=1 2/dev/null |od -t x8 | \ - head -1 |awk '{print $2}' | cut -c1-10 |\ + head -n 1 |awk '{print $2}' | cut -c1-10 |\ sed 's/\(..\)/\1:/g; s/.$//'` cat EOF $cfg_dir/config || die unable to create $cfg_dir/config # Container configuration for Oracle Linux $container_release_major.$container_release_minor -- 1.8.5.3 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel