- 10 12月, 2012 1 次提交
- 18 10月, 2012 3 次提交
-
-
由 Daniel P. Berrange 提交于
Continue consolidation of process functions by moving some helpers out of command.{c,h} into virprocess.{c,h} Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9467ab60)
-
由 Daniel P. Berrange 提交于
Change "Pid" to "Process" to align with the virProcessKill API naming prefix Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 0fb58ef5)
-
由 Daniel P. Berrange 提交于
A prefix change to unmount the SELinux filesystem broke starting of LXC containers with a custom root filesystem (cherry picked from commit 1532bd49)
-
- 21 9月, 2012 3 次提交
-
-
由 Daniel P. Berrange 提交于
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Some kernel versions (at least RHEL-6 2.6.32) do not let you over-mount an existing selinuxfs instance with a new one. Thus we must unmount the existing instance inside our namespace. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Eric Blake 提交于
https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/
-
- 07 9月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The introduction of /sys/fs/cgroup came in fairly recent kernels. Prior to that time distros would pick a custom directory like /cgroup or /dev/cgroup. We need to auto-detect where this is, rather than hardcoding it Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 31 7月, 2012 1 次提交
-
-
由 Eric Blake 提交于
Otherwise, a build may fail with: lxc/lxc_conatiner.c: In function 'lxcContainerDropCapabilities': lxc/lxc_container.c:1662:46: error: unused parameter 'keepReboot' [-Werror=unused-parameter] * src/lxc/lxc_container.c (lxcContainerDropCapabilities): Mark parameter unused.
-
- 30 7月, 2012 2 次提交
-
-
由 Daniel P. Berrange 提交于
Check whether the reboot() system call is virtualized, and if it is, then allow the container to keep CAP_SYS_REBOOT. Based on an original patch by Serge Hallyn Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Update all LXC code to use virReportError instead of the custom lxcError macro Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 23 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
-
- 19 7月, 2012 2 次提交
-
-
由 Dan Walsh 提交于
This patch passes down the sec_mount_options to the lxcContainerMountCGroups function and then mounts the tmpfs with the correct label.
-
由 Daniel J Walsh 提交于
Basically within a Secure Linux Container (virt-sandbox) we want all content that the process within the container can write to be labeled the same. We are labeling the physical disk correctly but when we create "RAM" based file systems libvirt is not labeling them, and they are defaulting to tmpfs_t, which will will not allow the processes to write. This patch labels the RAM based file systems correctly.
-
- 06 7月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Previous commits added code to unmount the existing /proc, /sys and /dev hierarchies on the root filesystem of the container. This should only have been done if the container's root filesystem was the same as the host's root. ie if the root source is '/'. As it is, this causes LXC containersr to fail to start if their root source is not '/' Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 05 7月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Move the veth device name state into the virLXCControllerPtr object and stop passing it around. Also use size_t instead of unsigned int for the array length parameters. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 29 6月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Since we are mounting a new /dev in the container, we must remove any sub-mounts like /dev/shm, /dev/mqueue, etc, otherwise they'll be recorded in /proc/mounts, but not be accessible to applications.
-
- 25 6月, 2012 3 次提交
-
-
由 Daniel J Walsh 提交于
Currently libvirt-lxc checks to see if the destination exists and is a directory. If it is not a directory then the mount fails. Since libvirt-lxc can bind mount files on an inode, this patch is needed to allow us to bind mount files on files. Currently we want to bind mount on top of /etc/machine-id, and /etc/adjtime If the destination of the mount point does not exists, it checks if the src is a directory and then attempts to create a directory, otherwise it creates an empty file for the destination. The code will then bind mount over the destination. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently you can configure LXC to bind a host directory to a guest directory, but not to bind a guest directory to a guest directory. While the guest container init could do this itself, allowing it in the libvirt XML means a stricter SELinux policy can be written
-
由 Daniel P. Berrange 提交于
Introduce a new syntax for filesystems to allow use of a RAM filesystem <filesystem type='ram'> <source usage='10' units='MiB'/> <target dir='/mnt'/> </filesystem> The usage units default to KiB to limit consumption of host memory. * docs/formatdomain.html.in: Document new syntax * docs/schemas/domaincommon.rng: Add new attributes * src/conf/domain_conf.c: Parsing/formatting of RAM filesystems * src/lxc/lxc_container.c: Mounting of RAM filesystems Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 19 6月, 2012 4 次提交
-
-
由 Gao feng 提交于
when lxcContainerIdentifyCGroups failed, the memory it allocated has been freed, so we should not free this memory again in lxcContainerSetupPivortRoot and lxcContainerSetupExtraMounts. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
print debug info "container support is enabled" when host support the user or net namespace. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
kill the "return 0;" code, it will cause memory leak. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Eric Blake 提交于
Introduced in commit 1f8c33b6. * src/lxc/lxc_container.c (lxcContainerGetSubtree): Avoid TAB.
-
- 18 6月, 2012 2 次提交
-
-
由 Gao feng 提交于
when libvirt_lxc trigger oom error in lxcContainerGetSubtree we should free the alloced memory for mounts. so when lxcContainerGetSubtree failed,we should do some memory cleanup in lxcContainerUnmountSubtree. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
we alloc the memory for format in lxcContainerMountDetectFilesystem but without free it in lxcContainerMountFSBlockHelper. this patch just call VIR_FREE to free it. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 15 6月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
This reverts commit c16b4c43 Author: Daniel P. Berrange <berrange@redhat.com> Date: Fri May 11 15:09:27 2012 +0100 Avoid LXC pivot root in the root source is still / This commit broke setup of /dev, because the code which deals with setting up a private /dev and /dev/pts only works if you do a pivotroot. The original intent of avoiding the pivot root was to try and ensure the new root has a minimumal mount tree. The better way todo this is to just unmount the bits we don't want (ie old /proc & /sys subtrees. So apply the logic from commit c529b47a Author: Daniel P. Berrange <berrange@redhat.com> Date: Fri May 11 11:35:28 2012 +0100 Trim /proc & /sys subtrees before mounting new instances to the pivot_root codepath as well
-
- 11 6月, 2012 3 次提交
-
-
由 Gao feng 提交于
we forgot to free fslist,just add VIR_FREE(fslist). Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
when do remount,the source and target should be the same values specified in the initial mount() call. So change fs->dst to src. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
由 Gao feng 提交于
There is no code use the variable "src" in lxcContainerMountBasicFS. so delete it and VIR_FREE. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
-
- 16 5月, 2012 5 次提交
-
-
由 Daniel P. Berrange 提交于
Normal practice is for cgroups controllers to be mounted at /sys/fs/cgroup. When setting up a container, /sys is mounted with a new sysfs instance, thus we must re-mount all the cgroups controllers. The complexity is that we must mount them in the same layout as the host OS. ie if 'cpu' and 'cpuacct' were mounted at the same location in the host we must preserve this in the container. Also if any controllers are co-located we must setup symlinks from the individual controller name to the co-located mount-point Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Both /proc and /sys may have sub-mounts in them from the host OS. We must explicitly unmount them all before mounting the new instance over that location. If we don't then /proc/mounts will show the sub-mounts as existing, even though nothing will be able to access them, due to the over-mount. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
If the LXC config has a filesystem <filesystem> <source dir='/'/> <target dir='/'/> </filesystem> then there is no need to go down the pivot root codepath. We can simply use the existing root as needed. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently to make sysfs readonly, we remount the existing instance and then bind it readonly. Unfortunately this means sysfs is still showing device objects wrt the host OS namespace. We need it to reflect the container namespace, so we must mount a completely new instance of it. Do the same for selinuxfs since there is no benefit to bind mounting & this lets us simplify the code. * src/lxc/lxc_container.c: Mount fresh sysfs instance Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
Instead of hardcoding use of SELinux contexts in the LXC driver, switch over to using the official security driver API. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 01 5月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Once lxcContainerSetStdio is invoked, logging will not work as expected in libvirt_lxc. So make sure this is the last thing to be called, in particular after setting the security process label
-
- 30 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The code is splattered with a mix of sizeof foo sizeof (foo) sizeof(foo) Standardize on sizeof(foo) and add a syntax check rule to enforce it Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 27 3月, 2012 2 次提交
-
-
由 Daniel P. Berrange 提交于
Pass argv to the init binary of LXC, using a new <initarg> element. * docs/formatdomain.html.in: Document <os> usage for containers * docs/schemas/domaincommon.rng: Add <initarg> element * src/conf/domain_conf.c, src/conf/domain_conf.h: parsing and formatting of <initarg> * src/lxc/lxc_container.c: Setup LXC argv * tests/Makefile.am, tests/lxcxml2xmldata/lxc-systemd.xml, tests/lxcxml2xmltest.c, tests/testutilslxc.c, tests/testutilslxc.h: Test parsing/formatting of LXC related XML parts
-
由 Daniel P. Berrange 提交于
The SELinux mount point moved from /selinux to /sys/fs/selinux when systemd came along. * configure.ac: Probe for SELinux mount point * src/lxc/lxc_container.c: Use SELinux mount point determined by configure.ac
-
- 16 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
If no <interface> elements are included in an LXC guest XML description, then the LXC guest will just see the host's network interfaces. It is desirable to be able to hide the host interfaces, without having to define any guest interfaces. This patch introduces a new feature flag <privnet/> to allow forcing of a private network namespace for LXC. In the future I also anticipate that we will add <privuser/> to force a private user ID namespace. * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support for <privnet/> feature. Auto-set <privnet> if any <interface> devices are defined * src/lxc/lxc_container.c: Honour request for private network namespace
-