[lxc-devel] [GIT] lxc branch, master, updated. bf601689a9e0cea1ceaf17e4f7f853f5392c2827
Daniel Lezcano
git at users.sourceforge.net
Fri Jan 8 13:34:28 UTC 2010
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "lxc".
The branch, master has been updated
via bf601689a9e0cea1ceaf17e4f7f853f5392c2827 (commit)
via 7b379ab3a54e12c89c664acce557f759258c629a (commit)
via 4eec6850fcc88e020c48580851a4c328a6860be1 (commit)
via 0bb4f8cf3b3b984dc150a11cb2e4d83ba4c49970 (commit)
from 23a92fad754b6671f11f8908c32718762d7a3fdd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit bf601689a9e0cea1ceaf17e4f7f853f5392c2827
Author: Michael Holtz <lxc at my.fqdn.org>
Date: Fri Jan 8 14:34:13 2010 +0100
use pivot_root instead of chroot
lxc currently does a chroot into the target rootfs. chroot is insecure and
can easily be broken, as demonstrated here:
| root at synergy:~# touch /this_is_the_realrootfs_ouch
| # touch /container/webhost/this_is_the_container
| # lxc-start -n webhost /bin/sh
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_realrootfs_ouch
code to break chroot taken from
http://www.bpfh.net/simes/computing/chroot-break.html
Now this can be fixed. As our container has his own mount namespace, we can
easily pivot_root into the rootfs and then unmount all old mounts. The patch
attached add a new config keyword which contains the path to a temporary
mount for the old rootfs (inside the container). This stops the chroot break
method shown before.
Example:
| root at synergy:~# grep pivotdir /var/lib/lxc/webhost/config
| lxc.pivotdir = /oldrootfs
| root at synergy:~# ls -lad /container/webhost/oldrootfs
| drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs
| root at synergy:~# lxc-start -n webhost /bin/sh
| # mount -t proc proc /proc
| # cat /proc/mounts
| rootfs / rootfs rw 0 0
| /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
| devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
| proc /proc proc rw,relatime 0 0
| # ls this*
| this_is_the_container
| # ./breakchroot
| # ls this*
| this_is_the_container
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
Signed-off-by: Michael Holtz <lxc at my.fqdn.org>
commit 7b379ab3a54e12c89c664acce557f759258c629a
Author: Michel Normand <NORMAND at fr.ibm.com>
Date: Fri Jan 8 14:34:13 2010 +0100
lxc: avoid memory corruption on ppc and s390 V4
conf object is on stack and is used in forked process.
Signed-off-by: Michel Normand <normand at fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 4eec6850fcc88e020c48580851a4c328a6860be1
Author: Michel Normand <normand at fr.ibm.com>
Date: Fri Jan 8 14:34:13 2010 +0100
lxc_cgroup_set not reporting error
this is a side effect of previous patch I made
on this same function in commit
a6ddef6149858df87cf7ab3c21e2fd34d14cc452
Signed-off-by: Michel Normand <normand at fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 0bb4f8cf3b3b984dc150a11cb2e4d83ba4c49970
Author: Michel Normand <normand at fr.ibm.com>
Date: Fri Jan 8 14:34:13 2010 +0100
lxc: update man and help of lxc-create
few added lines to document the new lxc-create -t option
Signed-off-by: Michel Normand <normand at fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
-----------------------------------------------------------------------
Summary of changes:
doc/lxc-create.sgml.in | 15 +++
src/lxc/cgroup.c | 5 +-
src/lxc/conf.c | 226 +++++++++++++++++++++++++++++++++++++++++++-----
src/lxc/conf.h | 4 +-
src/lxc/confile.c | 18 ++++
src/lxc/lxc-create.in | 45 +++++++---
src/lxc/lxc_execute.c | 11 ++-
src/lxc/lxc_start.c | 11 ++-
8 files changed, 285 insertions(+), 50 deletions(-)
hooks/post-receive
--
lxc
More information about the lxc-devel
mailing list