[lxc-devel] [GIT] lxc branch, master, updated. bf601689a9e0cea1ceaf17e4f7f853f5392c2827

Daniel Lezcano git at users.sourceforge.net
Fri Jan 8 13:34:28 UTC 2010


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "lxc".

The branch, master has been updated
       via  bf601689a9e0cea1ceaf17e4f7f853f5392c2827 (commit)
       via  7b379ab3a54e12c89c664acce557f759258c629a (commit)
       via  4eec6850fcc88e020c48580851a4c328a6860be1 (commit)
       via  0bb4f8cf3b3b984dc150a11cb2e4d83ba4c49970 (commit)
      from  23a92fad754b6671f11f8908c32718762d7a3fdd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bf601689a9e0cea1ceaf17e4f7f853f5392c2827
Author: Michael Holtz <lxc at my.fqdn.org>
Date:   Fri Jan 8 14:34:13 2010 +0100

    use pivot_root instead of chroot
    
    lxc currently does a chroot into the target rootfs. chroot is insecure and
    can easily be broken, as demonstrated here:
    
    | root at synergy:~# touch /this_is_the_realrootfs_ouch
    | # touch /container/webhost/this_is_the_container
    | # lxc-start -n webhost /bin/sh
    | # ls this*
    | this_is_the_container
    | # ./breakchroot
    | # ls this*
    | this_is_the_realrootfs_ouch
    
    code to break chroot taken from
    http://www.bpfh.net/simes/computing/chroot-break.html
    
    Now this can be fixed. As our container has his own mount namespace, we can
    easily pivot_root into the rootfs and then unmount all old mounts. The patch
    attached add a new config keyword which contains the path to a temporary
    mount for the old rootfs (inside the container). This stops the chroot break
    method shown before.
    
    Example:
    
    | root at synergy:~# grep pivotdir /var/lib/lxc/webhost/config
    | lxc.pivotdir = /oldrootfs
    | root at synergy:~# ls -lad /container/webhost/oldrootfs
    | drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs
    | root at synergy:~# lxc-start -n webhost /bin/sh
    | # mount -t proc proc /proc
    | # cat /proc/mounts
    | rootfs / rootfs rw 0 0
    | /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
    | devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
    | proc /proc proc rw,relatime 0 0
    | # ls this*
    | this_is_the_container
    | # ./breakchroot
    | # ls this*
    | this_is_the_container
    
    Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
    Signed-off-by: Michael Holtz <lxc at my.fqdn.org>

commit 7b379ab3a54e12c89c664acce557f759258c629a
Author: Michel Normand <NORMAND at fr.ibm.com>
Date:   Fri Jan 8 14:34:13 2010 +0100

    lxc: avoid memory corruption on ppc and s390 V4
    
    conf object is on stack and is used in forked process.
    
    Signed-off-by: Michel Normand <normand at fr.ibm.com>
    Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>

commit 4eec6850fcc88e020c48580851a4c328a6860be1
Author: Michel Normand <normand at fr.ibm.com>
Date:   Fri Jan 8 14:34:13 2010 +0100

    lxc_cgroup_set not reporting error
    
    this is a side effect of previous patch I made
    on this same function in commit
    a6ddef6149858df87cf7ab3c21e2fd34d14cc452
    
    Signed-off-by: Michel Normand <normand at fr.ibm.com>
    Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>

commit 0bb4f8cf3b3b984dc150a11cb2e4d83ba4c49970
Author: Michel Normand <normand at fr.ibm.com>
Date:   Fri Jan 8 14:34:13 2010 +0100

    lxc: update man and help of lxc-create
    
    few added lines to document the new lxc-create -t option
    
    Signed-off-by: Michel Normand <normand at fr.ibm.com>
    Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>

-----------------------------------------------------------------------

Summary of changes:
 doc/lxc-create.sgml.in |   15 +++
 src/lxc/cgroup.c       |    5 +-
 src/lxc/conf.c         |  226 +++++++++++++++++++++++++++++++++++++++++++-----
 src/lxc/conf.h         |    4 +-
 src/lxc/confile.c      |   18 ++++
 src/lxc/lxc-create.in  |   45 +++++++---
 src/lxc/lxc_execute.c  |   11 ++-
 src/lxc/lxc_start.c    |   11 ++-
 8 files changed, 285 insertions(+), 50 deletions(-)


hooks/post-receive
-- 
lxc




More information about the lxc-devel mailing list