The warning has been present since commit 32b37181ea (with no purpose stated).
Support for dynamically linked Busybox has been added since commit bf6cc73696.
Haven't encountered any issues with dynamically linked Busybox in my last
2 years' testing.
Signed-off-by: Bogdan Purcareata
throws a nasty error.
Changes since v1:
- maintain errno in safe_mount when opening the mount destination fails
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com>
---
src/lxc/utils.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/lxc/utils.c b/src/lxc/u
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com>
---
templates/lxc-busybox.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index c020e66..f547f9e 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busy
throws a nasty error.
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com>
---
src/lxc/utils.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 6bee698..2046704 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1621,8 +1621,6 @@ stat
, and is unmounted and mounted again in a new set of namespaces,
therefore eliminating the need to check for it being a symlink.
Mount the rootfs normally if the rootfs is NULL, keep the safe mount
only for scenarios where a different rootfs is defined.
Signed-off-by: Bogdan Purcareata <bogdan.purc
On 14.01.2016 01:09, Serge Hallyn wrote:
> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
>> On 11.01.2016 20:59, Serge Hallyn wrote:
>>> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
>>>> The safe_mount primitive will mount the fs in the new conta
On 11.01.2016 20:59, Serge Hallyn wrote:
> Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
>> The safe_mount primitive will mount the fs in the new container
>> environment by using file descriptors referred in /proc/self/fd.
>> However, when the mounted file
:
- In order to address CVE-2015-1335, still check if the destination is
not a symlink. Do the mount only if the destination file descriptor
exists.
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com>
---
src/lxc/utils.c | 49 -
1 file chang
. This only happens when there's
no container rootfs prefix (commonly with lxc-execute).
Implement the support for this use case as well, by doing the mount
based on the full path.
Refactor the whole function in order to remove duplicated code checks
and improve readability.
Signed-off-by: Bogdan
In the current implementation, the open_without_symlink function
will default to opening the root mount only if the passed rootfs
prefix is null. It doesn't account for the case where this prefix
is passed as an empty string.
Properly handle this second case as well.
Signed-off-by: Bogdan
.
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@nxp.com>
---
src/lxc/initutils.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 45df60f..8d9016c 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -47,6 +47,10 @@ exter
Enable aarch64 seccomp support for LXC containers running on ARM64
architectures. Tested with libseccomp 2.2.0 and the default seccomp
policy example files delivered with the LXC package.
Signed-off-by: Bogdan Purcareata <bogdan.purcare...@freescale.com>
---
src/lxc/seccomp.
OpenSSH fails, are
sshd for the server and ssh and scp for the client.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 9 +
1 file changed, 9 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 95961a3..17a3006
should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.
v2:
- check that binary paths adhere to /{,usr/}{,s}bin only
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 43
, prevent them from
being copied in the container rootfs.
The user should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 42
OpenSSH fails, are
sshd for the server and ssh and scp for the client.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 9 +
1 file changed, 9 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 37ec837..4f27bd8
OpenSSH fails, are
sshd for the server and ssh and scp for the client.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 9 +
1 file changed, 9 insertions(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 95961a3..17a3006
on ppc and ppc64 architectures, using the
default seccomp policy example files delivered with the LXC package.
[1] https://github.com/seccomp/libseccomp/commits/working-ppc64
v2:
- add #ifdefs in get_new_ctx to fix builds on systems not having SCMP_ARCH_PPC*
defined
Signed-off-by: Bogdan Purcareata
on ppc and ppc64 architectures, using the
default seccomp policy example files delivered with the LXC package.
[1] https://github.com/seccomp/libseccomp/commits/working-ppc64
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
src/lxc/seccomp.c | 42
Otherwise lxc-stop -r has no effect on the container.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 72531d6..7e05bd6 100644
upstream master.
[1] http://git.busybox.net/busybox/tree/init/init.c#n807
Bogdan Purcareata (3):
add lxc.rebootsignal
document lxc.rebootsignal
lxc-busybox: use lxc.rebootsignal = SIGTERM
doc/lxc-stop.sgml.in | 4 +-
doc/lxc.container.conf.sgml.in | 106
Also fix some minor indentation mishaps since we're here.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
doc/lxc-stop.sgml.in | 4 +-
doc/lxc.container.conf.sgml.in | 106 +
2 files changed, 67 insertions(+), 43 deletions
Apply the changes found in templates/lxc-download to the busybox template as
well. Change ownership of the config and fstab files to the unprivileged user,
and the ownership of the rootfs to root in the new user namespace.
Eliminate the unsupported for userns flag.
Signed-off-by: Bogdan
.
Complete the previously started support for user namespaces and eliminate the
initial fail if in userns check. Also add an entry in the container config to
do the corresponding bind-mounts for the tty devices.
Bogdan Purcareata (2):
busybox template: support for unprivileged containers
busybox
When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
for the ttys and other devices. Add this entry in the container config.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 4
1 file changed, 4 insertions(+)
diff
If a default mode is not set, the container requires an explicit
mode specified in the config file, otherwise creating the
container fails.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
src/lxc/confile.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff
Add LXC_NET_NONE to known lxc_network_types, so parsing a config
file with lxc.network.type = none does not result in failure
(e.g. doc/examples/lxc-no-netns.conf). Options have also been
reordered to match the enum in conf.h.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
---
templates/lxc-busybox.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index e5a512a..246e743 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc
Without enabling INCLUDE_SUSv2 in busybox, we need to use head's -n argument,
rather than -#.
Signed-off-by: Christopher Larson kerg...@gmail.com
---
src/lxc/lxc-checkconfig.in | 2 +-
src/tests/lxc-test-ubuntu | 2 +-
templates/lxc-alpine.in| 2 +-
templates/lxc-oracle.in| 2 +-
4
Without enabling INCLUDE_SUSv2 in busybox, we need to use head's -n argument,
rather than -#.
Signed-off-by: Christopher Larson kerg...@gmail.com
---
src/lxc/lxc-checkconfig.in | 2 +-
src/tests/lxc-test-ubuntu | 2 +-
templates/lxc-alpine.in| 2 +-
templates/lxc-oracle.in| 2 +-
4
30 matches
Mail list logo