1. 10 12月, 2012 1 次提交
    • D
      Linux Containers are not allowed to create device nodes. · 9a543041
      Dan Walsh 提交于
      This needs to be done before the container starts. Turning
      off the mknod capability is noticed by systemd, which will
      no longer attempt to create device nodes.
      
      This eliminates SELinux AVC messages and ugly failure messages in the journal.
      (cherry picked from commit 2e03b08e)
      9a543041
  2. 18 10月, 2012 3 次提交
  3. 21 9月, 2012 3 次提交
  4. 07 9月, 2012 1 次提交
  5. 31 7月, 2012 1 次提交
    • E
      build: fix build without HAVE_CAPNG · 6f926c5e
      Eric Blake 提交于
      Otherwise, a build may fail with:
      
      lxc/lxc_conatiner.c: In function 'lxcContainerDropCapabilities':
      lxc/lxc_container.c:1662:46: error: unused parameter 'keepReboot' [-Werror=unused-parameter]
      
      * src/lxc/lxc_container.c (lxcContainerDropCapabilities): Mark
      parameter unused.
      6f926c5e
  6. 30 7月, 2012 2 次提交
  7. 23 7月, 2012 1 次提交
    • O
      Desert the FSF address in copyright · f9ce7dad
      Osier Yang 提交于
      Per the FSF address could be changed from time to time, and GNU
      recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)
      
        You should have received a copy of the GNU General Public License
        along with Foobar.  If not, see <http://www.gnu.org/licenses/>.
      
      This patch removes the explicit FSF address, and uses above instead
      (of course, with inserting 'Lesser' before 'General').
      
      Except a bunch of files for security driver, all others are changed
      automatically, the copyright for securify files are not complete,
      that's why to do it manually:
      
        src/security/security_selinux.h
        src/security/security_driver.h
        src/security/security_selinux.c
        src/security/security_apparmor.h
        src/security/security_apparmor.c
        src/security/security_driver.c
      f9ce7dad
  8. 19 7月, 2012 2 次提交
    • D
      lxcContainerMountCGroups also mounts a tmpfs that needs to be labeled. · 9f5ef4d9
      Dan Walsh 提交于
      This patch passes down the sec_mount_options to the
      lxcContainerMountCGroups function and then mounts the tmpfs with
      the correct label.
      9f5ef4d9
    • D
      Mount all tmpfs filesystems with correct SELinux label · e0018429
      Daniel J Walsh 提交于
      Basically within a Secure Linux Container (virt-sandbox) we want all content
      that the process within the container can write to be labeled the same.  We
      are labeling the physical disk correctly but when we create "RAM" based file
      systems
      libvirt is not labeling them, and they are defaulting to tmpfs_t, which will
      will not allow the processes to write.  This patch labels the RAM based file
      systems correctly.
      e0018429
  9. 06 7月, 2012 1 次提交
  10. 05 7月, 2012 1 次提交
  11. 29 6月, 2012 1 次提交
  12. 25 6月, 2012 3 次提交
    • D
      Support bind mounting host files, as well as directories in LXC · 465c055f
      Daniel J Walsh 提交于
      Currently libvirt-lxc checks to see if the destination exists and is a
      directory.  If it is not a directory then the mount fails.  Since
      libvirt-lxc can bind mount files on an inode, this patch is needed to
      allow us to bind mount files on files.  Currently we want to bind mount
      on top of /etc/machine-id, and /etc/adjtime
      
      If the destination of the mount point does not exists, it checks if the
      src is a directory and then attempts to create a directory, otherwise it
      creates an empty file for the destination.  The code will then bind mount
      over the destination.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      465c055f
    • D
      Add support for guest bind mounts with LXC · 3b1ddec1
      Daniel P. Berrange 提交于
      Currently you can configure LXC to bind a host directory to
      a guest directory, but not to bind a guest directory to a
      guest directory. While the guest container init could do
      this itself, allowing it in the libvirt XML means a stricter
      SELinux policy can be written
      3b1ddec1
    • D
      Add support for RAM filesystems for LXC · 76b644c3
      Daniel P. Berrange 提交于
      Introduce a new syntax for filesystems to allow use of a RAM
      filesystem
      
         <filesystem type='ram'>
            <source usage='10' units='MiB'/>
            <target dir='/mnt'/>
         </filesystem>
      
      The usage units default to KiB to limit consumption of host memory.
      
      * docs/formatdomain.html.in: Document new syntax
      * docs/schemas/domaincommon.rng: Add new attributes
      * src/conf/domain_conf.c: Parsing/formatting of RAM filesystems
      * src/lxc/lxc_container.c: Mounting of RAM filesystems
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      76b644c3
  13. 19 6月, 2012 4 次提交
  14. 18 6月, 2012 2 次提交
  15. 15 6月, 2012 1 次提交
    • D
      Always pivot_root event if the new root source is '/' · e9d8861e
      Daniel P. Berrange 提交于
      This reverts
      
        commit c16b4c43
        Author: Daniel P. Berrange <berrange@redhat.com>
        Date:   Fri May 11 15:09:27 2012 +0100
      
          Avoid LXC pivot root in the root source is still /
      
      This commit broke setup of /dev, because the code which
      deals with setting up a private /dev and /dev/pts only
      works if you do a pivotroot.
      
      The original intent of avoiding the pivot root was to
      try and ensure the new root has a minimumal mount
      tree. The better way todo this is to just unmount the
      bits we don't want (ie old /proc & /sys subtrees.
      So apply the logic from
      
        commit c529b47a
        Author: Daniel P. Berrange <berrange@redhat.com>
        Date:   Fri May 11 11:35:28 2012 +0100
      
          Trim /proc & /sys subtrees before mounting new instances
      
      to the pivot_root codepath as well
      e9d8861e
  16. 11 6月, 2012 3 次提交
  17. 16 5月, 2012 5 次提交
  18. 01 5月, 2012 1 次提交
  19. 30 3月, 2012 1 次提交
  20. 27 3月, 2012 2 次提交
    • D
      Add support for setting init argv for LXC · c91cff25
      Daniel P. Berrange 提交于
      Pass argv to the init binary of LXC, using a new <initarg> element.
      
      * docs/formatdomain.html.in: Document <os> usage for containers
      * docs/schemas/domaincommon.rng: Add <initarg> element
      * src/conf/domain_conf.c, src/conf/domain_conf.h: parsing and
        formatting of <initarg>
      * src/lxc/lxc_container.c: Setup LXC argv
      * tests/Makefile.am, tests/lxcxml2xmldata/lxc-systemd.xml,
        tests/lxcxml2xmltest.c, tests/testutilslxc.c,
        tests/testutilslxc.h: Test parsing/formatting of LXC related
        XML parts
      c91cff25
    • D
      Detect location fo selinux mount point · eb8f31c1
      Daniel P. Berrange 提交于
      The SELinux mount point moved from /selinux to /sys/fs/selinux
      when systemd came along.
      
      * configure.ac: Probe for SELinux mount point
      * src/lxc/lxc_container.c: Use SELinux mount point determined
        by configure.ac
      eb8f31c1
  21. 16 3月, 2012 1 次提交
    • D
      Add support for forcing a private network namespace for LXC guests · 10a8b1f9
      Daniel P. Berrange 提交于
      If no <interface> elements are included in an LXC guest XML
      description, then the LXC guest will just see the host's
      network interfaces. It is desirable to be able to hide the
      host interfaces, without having to define any guest interfaces.
      
      This patch introduces a new feature flag <privnet/> to allow
      forcing of a private network namespace for LXC. In the future
      I also anticipate that we will add <privuser/> to force a
      private user ID namespace.
      
      * src/conf/domain_conf.c, src/conf/domain_conf.h: Add support
        for <privnet/> feature. Auto-set <privnet> if any <interface>
        devices are defined
      * src/lxc/lxc_container.c: Honour request for private network
        namespace
      10a8b1f9