[lxc-devel] [GIT] lxc branch, master, updated. ce6ce9d662b4ee8c0a10088867826a6725e06f70
Daniel Lezcano
git at users.sourceforge.net
Sat Feb 25 23:49:20 UTC 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "lxc".
The branch, master has been updated
via ce6ce9d662b4ee8c0a10088867826a6725e06f70 (commit)
via 49ee6cdcbf79d8b6fa617479ec8ab753ccca923d (commit)
via cb014488ee24072579837439389552ce3d6cbb83 (commit)
via 99d509541d82f247b3225d243fff5359574817ff (commit)
via e073270504f2f5c5df90bfcc4917d2d20b73d1e7 (commit)
via 525f00025700ae351b9c53dfb0d5f10a70d6b083 (commit)
via 28f2ae839d00373d093234ffbc9bbb4ef5f9d10e (commit)
via 3ea24eb8e68ba18e215aec0f10d96f75b23c340b (commit)
via e16dad106358ae045cdcb1d86fcf3c85ca76724f (commit)
via d79579e87406e8c239014dad04c5d310e553a8dd (commit)
via d55bc1adad2f4929d26d91b295115a77ca6a0d05 (commit)
via 5170c716339cc57e4df2315f24abd18f7fc05d08 (commit)
via 20d816599f954e7e5864d39884cc0de56f9358fd (commit)
via 5781a74a8af3057ce7b561f454e2b5b0925b1f76 (commit)
via 307cf2a670fc8979b84d888f2720a827bcfa5291 (commit)
from aa198728a83e7016cd02583349fce1f5b1a60c66 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ce6ce9d662b4ee8c0a10088867826a6725e06f70
Author: Jon Nordby <jononor at gmail.com>
Date: Thu Feb 23 09:57:26 2012 +0100
fix-automake-1.13
## 0001-Replace-pkglib_PROGRAMS-with-pkglibexec_PROGRAMS.patch [diff]
From 95c566740bba899acc7792c11fcdb3f4d32dcfc9 Mon Sep 17 00:00:00 2001
From: Jon Nordby <jononor at gmail.com>
Date: Fri, 10 Feb 2012 11:38:35 +0100
Subject: [PATCH] Replace pkglib_PROGRAMS with pkglibexec_PROGRAMS
Without this change, autogen.sh fails with automake 1.11.3
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 49ee6cdcbf79d8b6fa617479ec8ab753ccca923d
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
Add man page for lxc-attach
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit cb014488ee24072579837439389552ce3d6cbb83
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
lxc-attach: Drop privileges when attaching to container unless requested otherwise
lxc-attach will now put the process that is attached to the container into
the correct cgroups corresponding to the container, set the correct
personality and drop the privileges.
The information is extracted from entries in /proc of the init process of
the container. Note that this relies on the (reasonable) assumption that the
init process does not in fact drop additional capabilities from its bounding
set.
Additionally, 2 command line options are added to lxc-attach: One to prevent
the capabilities from being dropped and the process from being put into the
cgroup (-e, --elevated-privileges) and a second one to explicitly state the
architecture which the process will see, (-a, --arch) which defaults to the
container's current architecture.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 99d509541d82f247b3225d243fff5359574817ff
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
Move lxc_attach from namespace.c to attach.c and rename it to lxc_attach_to_ns
Since lxc-attach helper functions now have an own source file, lxc_attach is
moved from namespace.c to attach.c and is renamed to lxc_attach_to_ns,
because that better reflects what the function does (attaching to a
container can also contain the setting of the process's personality, adding
it to the corresponding cgroups and dropping specific capabilities).
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit e073270504f2f5c5df90bfcc4917d2d20b73d1e7
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
Add attach.[ch]: Helper functions for lxc-attach
The following helper functions for lxc-attach are added to a new file
attach.c:
- lxc_proc_get_context_info: Get cgroup memberships, personality and
capability bounding set from /proc for a given process.
- lxc_proc_free_context_info: Free the data structure responsible
- lxc_attach_proc_to_cgroups: Add the process specified by the pid
parameter to the cgroups given by the ctx parameter.
- lxc_attach_drop_privs: Drop capabilities to the capability mask given in
the ctx parameter.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 525f00025700ae351b9c53dfb0d5f10a70d6b083
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
Add lxc_config_parse_arch to parse architecture strings
Add the function lxc_config_parse_arch that parses an architecture string
(x86, i686, x86_64, amd64) and returns the corresponding personality. This
is required for lxc-attach, which accepts architectures independently of
lxc.arch. The parsing of lxc.arch now also uses the same function to ensure
consistency.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 28f2ae839d00373d093234ffbc9bbb4ef5f9d10e
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:14 2012 +0100
cgroup: Make cgroup_attach a public function
lxc-attach needs to be able to attach a process to specific cgroup, so
cgroup_attach is renamed to lxc_cgroup_attach and now also defined in the
header file.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 3ea24eb8e68ba18e215aec0f10d96f75b23c340b
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Enable get_cgroup_mount to search for mount points satisfying multiple subsystems at once
lxc-attach functionality reads /proc/init_pid/cgroup to determine the cgroup
of the container for a given subsystem. However, since subsystems may be
mounted together, we want to be on the safe side and be sure that we really
find the correct mount point, so we allow get_cgroup_mount to check for
*all* the subsystems; the subsystem parameter may now be a comma-separated
list.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit e16dad106358ae045cdcb1d86fcf3c85ca76724f
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Add missing double-include #ifndef/#define/#endif to confile.h
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit d79579e87406e8c239014dad04c5d310e553a8dd
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Add missing 'extern' keyword to functions defined in cgroup.h
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit d55bc1adad2f4929d26d91b295115a77ca6a0d05
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Accept numeric values for capabilities to drop
lxc.cap.drop now also accepts numeric values for capabilities. This allows
the user to specify capabilities LXC doesn't know about yet or capabilities
that were not part of the kernel headers LXC was compiled against.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 5170c716339cc57e4df2315f24abd18f7fc05d08
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Add CAP_SYSLOG and CAP_WAKE_ALARM to list of capabilities
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 20d816599f954e7e5864d39884cc0de56f9358fd
Author: Christian Seiler <christian at iwakd.de>
Date: Thu Feb 23 09:57:13 2012 +0100
Add function to determine CAP_LAST_CAP of the current kernel dynamically
The function lxc_caps_last_cap() determines CAP_LAST_CAP of the current kernel
dynamically. It first tries to read /proc/sys/kernel/cap_last_cap. If that
fails, because the kernel does not support this interface yet, it loops
through all capabilities and tries to determine whether the current capability
is part of the bounding set. The first capability for which prctl() fails is
considered to be CAP_LAST_CAP.
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 5781a74a8af3057ce7b561f454e2b5b0925b1f76
Author: Jian Xiao <jian at linux.vnet.ibm.com>
Date: Thu Feb 23 09:57:13 2012 +0100
correctly install signal handler for lxc-init
This patch is to correct the manipulation of signal masks when
installing signal handlers for lxc-init.
Signed-off-by: Jian Xiao <jian at linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <gkurz at fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
commit 307cf2a670fc8979b84d888f2720a827bcfa5291
Author: Jian Xiao <jian at linux.vnet.ibm.com>
Date: Thu Feb 23 09:57:13 2012 +0100
remove redundent LXC_TTY_HANDLER
All the signals (except fatal ones) are redirected to signalfd at lxc_init,
so the LXC_TTY_HANDLERs are redundant. This patch removes them.
Signed-off-by: Jian Xiao <jian at linux.vnet.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 3 +-
doc/Makefile.am | 1 +
doc/lxc-attach.sgml.in | 189 ++++++++++++++++++++++++++
doc/see_also.sgml.in | 5 +
src/lxc/Makefile.am | 6 +-
src/lxc/attach.c | 280 +++++++++++++++++++++++++++++++++++++++
src/lxc/{monitor.h => attach.h} | 33 +++--
src/lxc/caps.c | 46 +++++++
src/lxc/caps.h | 2 +
src/lxc/cgroup.c | 35 +++++-
src/lxc/cgroup.h | 11 +-
src/lxc/conf.c | 23 +++
src/lxc/confile.c | 52 ++++---
src/lxc/confile.h | 8 +
src/lxc/lxc_attach.c | 117 ++++++++++++++--
src/lxc/lxc_init.c | 22 +++-
src/lxc/namespace.c | 47 -------
src/lxc/namespace.h | 1 -
src/lxc/start.c | 9 --
src/lxc/utils.h | 29 +----
20 files changed, 770 insertions(+), 149 deletions(-)
create mode 100644 doc/lxc-attach.sgml.in
create mode 100644 src/lxc/attach.c
copy src/lxc/{monitor.h => attach.h} (58%)
hooks/post-receive
--
lxc
More information about the lxc-devel
mailing list