[lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root

Note this results in nics named things like 'lxcuser-0p'. We'll likely want to pass the requested name to lxc-user-nic, but let's do that in a separate patch. If we're not root, we can't create new network itnerfaces to pass into the container. Instead wait until the container is started, and

[lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys

Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen dwight.en...@oracle.com --- templates/lxc-oracle.in | 7 +-- 1 file changed, 1 insertion(+), 6

Re: [lxc-devel] [PATCH 2/3] fix chowning of tty and console uids

On Wed, Oct 23, 2013 at 01:02:58AM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com It needs to be done from the handler, not the container, since the container may not have the rights. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber

Re: [lxc-devel] [PATCH 3/3] lxc-busybox: if in userns, don't try to mknod

On Wed, Oct 23, 2013 at 01:02:59AM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com We really should be working on a shared set of functions all templates can source instead of re-inventing the wheel over and over again

Re: [lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root

On Wed, Oct 23, 2013 at 10:52:37AM -0500, Serge Hallyn wrote: Note this results in nics named things like 'lxcuser-0p'. We'll likely want to pass the requested name to lxc-user-nic, but let's do that in a separate patch. If we're not root, we can't create new network itnerfaces to pass

[lxc-devel] [lxc/lxc] 9d65a4: Fix segfault on lxc-create when no template specif...

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 9d65a4872917d4bed744aaddafc99046c588e7ae https://github.com/lxc/lxc/commit/9d65a4872917d4bed744aaddafc99046c588e7ae Author: KATOH Yasufumi ka...@jazz.email.ne.jp Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [lxc/lxc] a1e4c2: template: Fix the container configuration issue in...

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: a1e4c206d5373b8ecd7906bff37f2601d65f022c https://github.com/lxc/lxc/commit/a1e4c206d5373b8ecd7906bff37f2601d65f022c Author: KATOH Yasufumi ka...@jazz.email.ne.jp Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [lxc/lxc] 09b152: doc: Update Japanese lxc-create(1) for default thi...

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 09b15218a42cb77adcc6033929e3188c53cdc574 https://github.com/lxc/lxc/commit/09b15218a42cb77adcc6033929e3188c53cdc574 Author: KATOH Yasufumi ka...@jazz.email.ne.jp Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [PATCH] lxc-debian: Add hwaddr handling logic

Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-debian.in | 7 +++ 1 file changed, 7 insertions(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 4dd4910..645fe8d 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -207,6 +207,13

Re: [lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys

Quoting Dwight Engen (dwight.en...@oracle.com): Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Serge E.

[lxc-devel] [lxc/lxc] aea1cd: lxc-debian: Add hwaddr handling logic

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: aea1cd3cb730117967c9671aa50f68d2b241c39e https://github.com/lxc/lxc/commit/aea1cd3cb730117967c9671aa50f68d2b241c39e Author: Stéphane Graber stgra...@ubuntu.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [lxc/lxc] 8f47bc: clang: Fix some simple issues

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8f47bc3f318b84886e86fe3e71e37c9a9d3b79d8 https://github.com/lxc/lxc/commit/8f47bc3f318b84886e86fe3e71e37c9a9d3b79d8 Author: Stéphane Graber stgra...@ubuntu.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision

Since we check /sys/kernel/security/ files when deciding whether apparmor is enabled, and that might not be mounted in the container, we cannot re-make the decision at apparmor_process_label_set() time. Luckily we don't have to - just cache the decision made at lsm_apparmor_drv_init().

[lxc-devel] [PATCH] clang: Remaining changes

Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to build LXC so long as you're not using the python3 binding (as python extensions can't be built under clang at the moment).

[lxc-devel] [lxc/lxc] 336623: oracle template: restrict writeability in /proc an...

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 33662399da0d6d29a2a49b36fe5394741e068ef0 https://github.com/lxc/lxc/commit/33662399da0d6d29a2a49b36fe5394741e068ef0 Author: Dwight Engen dwight.en...@oracle.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [lxc/lxc] 7e6966: apparmor: cache the are-we-enabled decision

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 7e6966e57264e993ee7856993cc5ee9ff31969a6 https://github.com/lxc/lxc/commit/7e6966e57264e993ee7856993cc5ee9ff31969a6 Author: Serge Hallyn serge.hal...@ubuntu.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

Re: [lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision

On Wed, Oct 23, 2013 at 08:54:13PM -0500, Serge Hallyn wrote: Since we check /sys/kernel/security/ files when deciding whether apparmor is enabled, and that might not be mounted in the container, we cannot re-make the decision at apparmor_process_label_set() time. Luckily we don't have to -

[lxc-devel] [lxc/lxc] 97c94a: Fix build failure on sparc

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 97c94afb5758366f5a49536c97e1dcd34c9760d9 https://github.com/lxc/lxc/commit/97c94afb5758366f5a49536c97e1dcd34c9760d9 Author: Stéphane Graber stgra...@ubuntu.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed

[lxc-devel] [PATCH] Use actual length of socket's name for abstract sockets (v2)

The addrlen parameter should be the actual length of socket's name for abstract sockets. Otherwise socket gets padded with NULLs. cat /proc/net/unix | grep lxc [...] : 0003 0001 03 226548

Re: [lxc-devel] [PATCH] clang: Remaining changes

Quoting Stéphane Graber (stgra...@ubuntu.com): Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to build LXC so long as you're not using the python3 binding (as python

[lxc-devel] [PATCH] Eliminate duplicate entries from list_active_containers (v2)

list_active_containers parses /proc/net/unix which can contain multiple entries for the same container; : 0002 0001 0001 01 273672 @/var/lib/lxc/6/command : 0002 0001 0001 01 274395 @/var/lib/lxc/5/command :

Re: [lxc-devel] [PATCH] clang: Remaining changes

On Wed, Oct 23, 2013 at 11:04:58PM -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to

[lxc-devel] [lxc/lxc] f371ac: clang: Remaining changes

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: f371aca939bd8fab254de6f0a63d141f7550cf57 https://github.com/lxc/lxc/commit/f371aca939bd8fab254de6f0a63d141f7550cf57 Author: Stéphane Graber stgra...@ubuntu.com Date: 2013-10-23 (Wed, 23 Oct 2013) Changed