[lxc-devel] [lxc/lxc] cd4c25: lxc-opensuse: default release changed to 13.1, as ...

GitHub noreply at github.com
Fri Dec 19 18:51:35 UTC 2014 

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: cd4c250df41822c25b22303dea84ccd3c81a589b
      https://github.com/lxc/lxc/commit/cd4c250df41822c25b22303dea84ccd3c81a589b
  Author: Johannes Kastl <mail at ojkastl.de>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: default release changed to 13.1, as 12.3 reaches  end-of-life soon

Signed-off-by: Johannes Kastl <git at ojkastl.de>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 96c3d526640d1e1f15052d0c87796ba604d58b50
      https://github.com/lxc/lxc/commit/96c3d526640d1e1f15052d0c87796ba604d58b50
  Author: Johannes Kastl <git at ojkastl.de>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: Disable building openSUSE containers on 13.2/Tumbleweed only if wrong version of build package is installed

Signed-off-by: Johannes Kastl <git at ojkastl.de>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 18d8dd1e72354a806452df0779f132c2c069d94b
      https://github.com/lxc/lxc/commit/18d8dd1e72354a806452df0779f132c2c069d94b
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M config/templates/common.seccomp
    M src/lxc/seccomp.c

  Log Message:
  -----------
  seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 5cb9ed613b2b3d8f3d0f1c0c4e41a74bb98fa5b1
      https://github.com/lxc/lxc/commit/5cb9ed613b2b3d8f3d0f1c0c4e41a74bb98fa5b1
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M config/templates/centos.userns.conf.in
    M config/templates/debian.userns.conf.in
    M config/templates/fedora.userns.conf.in
    M config/templates/gentoo.userns.conf.in
    M config/templates/oracle.userns.conf.in
    M config/templates/plamo.userns.conf.in
    M config/templates/ubuntu.userns.conf.in

  Log Message:
  -----------
  Enable seccomp by default for unprivileged users.

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/1c5ccb98a75b...5cb9ed613b2b

More information about the lxc-devel mailing list