On Mon, Jul 22, 2013 at 02:09:19PM -0500, Serge Hallyn wrote:
> If we are euid==0 or XDG_RUNTIME_DIR is not set, then use
> /run/lock/lxc/$lxcpath/$lxcname as before. Otherwise,
> use $XDG_RUNTIME_DIR/lock/lxc/$lxcpath/$lxcname.
>
> Signed-off-by: Serge Hallyn
> Cc: Stéphane Graber
Acked-by: S
On Mon, Jul 22, 2013 at 11:59:18PM -0500, Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/cgroup.c | 15 +++
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
> index c707519..a61d210
On Mon, Jul 22, 2013 at 03:23:58PM -0500, Serge Hallyn wrote:
> It uses the newuidmap and newgidmap program to start a shell in
> a mapped user namespace. While newuidmap and newgidmap are
> setuid-root, lxc-usernsexec is not.
>
> If new{ug}idmap are not available, then this program is not
> buil
On Mon, Jul 22, 2013 at 10:07:29AM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > On Fri, Jul 19, 2013 at 02:26:47PM +, Serge Hallyn wrote:
> > > With this patchset, I am able to create and start an ubuntu-cloud
> > > container completely as an unprivileged user
On Mon, Jul 22, 2013 at 10:15:17AM -0500, Serge Hallyn wrote:
> Thanks for the review, Stéphane.
>
> So the next thing I was wanting to do (beside fixing lxc-destroy and
> having the ubuntu-cloud template properly handle cached images and
> locking in custom lxcpaths for unprivileged users) was th
On Mon, Jul 22, 2013 at 10:02:46AM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > On Fri, Jul 19, 2013 at 02:26:50PM +, Serge Hallyn wrote:
> > > From: Serge Hallyn
> > >
> > > 1. lxcapi_create: don't try to unshare and mount for dir backed containers
> > >
>
On Mon, Jul 22, 2013 at 10:58:30AM -0500, Serge Hallyn wrote:
> Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> > > May be worth having autoconf figure out the paths for those as they very
> > > well may be moved to /bin.
> >
> > Yeah, these should be done through autoconf.
> >
> > Well, or we
>The downside of this approach though is that we'd have to ban the
>lxc.network option allowing you to change the host interface name or use
>that as a suffix for lxc--.
Please don't drop this option completely. In my framework I'm using it to set
the external veth name to the name of the contai
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On Mon, Jul 22, 2013 at 02:09:19PM -0500, Serge Hallyn wrote:
> > If we are euid==0 or XDG_RUNTIME_DIR is not set, then use
> > /run/lock/lxc/$lxcpath/$lxcname as before. Otherwise,
> > use $XDG_RUNTIME_DIR/lock/lxc/$lxcpath/$lxcname.
> >
> > Signe
Quoting Jäkel, Guido (g.jae...@dnb.de):
>
> >The downside of this approach though is that we'd have to ban the
> >lxc.network option allowing you to change the host interface name or use
> >that as a suffix for lxc--.
>
> Please don't drop this option completely. In my framework I'm using it to s
From: Serge Hallyn
1. lxcapi_create: don't try to unshare and mount for dir backed containers
It's unnecessary, and breaks unprivileged lxc-create (since unpriv users
cannot yet unshare(CLONE_NEWNS)).
2. api_create: chown rootfs
chown rootfs to the host uid to which container root will be mapp
From: Serge Hallyn
Changelog: (Jul 22) only do this when actually mapping ids
Signed-off-by: Serge Hallyn
---
src/lxc/cgroup.c | 11 ++-
src/lxc/conf.c | 16 ++--
src/lxc/conf.h | 6 --
src/lxc/lxc.h| 4 +++-
src/lxc/start.c | 4 ++--
5 files changed, 29 ins
From: Serge Hallyn
It needs to be done from the handler, not the container, since
the container may not have the rights.
Signed-off-by: Serge Hallyn
Changelog:
Jul 22: remove hardcoded path for /bin/chown
Jul 22: use new lxc-usernsexec
Conflicts:
src/lxc/lxccontainer.c
---
sr
From: Serge Hallyn
Signed-off-by: Serge Hallyn
---
src/lxc/conf.c | 24
src/lxc/conf.h | 1 +
src/lxc/lxc_destroy.c | 7 ---
src/lxc/lxccontainer.c | 15 ---
4 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/src/lxc/conf
From: Serge Hallyn
We were trying to chown and chmod it to the same permissions as
the container's lxcpath. I think that's the wrong thing to do.
Signed-off-by: Serge Hallyn
---
src/lxc/lxclock.c | 10 --
1 file changed, 10 deletions(-)
diff --git a/src/lxc/lxclock.c b/src/lxc/lxcloc
Quoting serge.hal...@ubuntu.com (serge.hal...@ubuntu.com):
> From: Serge Hallyn
>
> Changelog: (Jul 22) only do this when actually mapping ids
Another note, as per lkml discussion, unprivileged container
creation will (at least for now) simply not create or enter
cgroups - other than an 'lxc' cg
It's not worthwhile - lxc-usernsexec will simply fail if we don't
have newuidmap. Actually putting all code using lxc-usernsexec
and newuidmap under that configurable would get ugly.
Signed-off-by: Serge Hallyn
---
configure.ac| 3 ---
src/lxc/Makefile.am | 6 --
2 files changed, 9
17 matches
Mail list logo
