[lxc-devel] [lxc/lxc] b9d369: doc: Add LXC-specific mount option in Japanese lxc...

GitHub noreply at github.com
Mon Sep 21 21:37:55 UTC 2015 

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: b9d3694d97b9be67820d329992c5e60a1924b98e
      https://github.com/lxc/lxc/commit/b9d3694d97b9be67820d329992c5e60a1924b98e
  Author: KATOH Yasufumi <karma at jazz.email.ne.jp>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M doc/ja/lxc.container.conf.sgml.in

  Log Message:
  -----------
  doc: Add LXC-specific mount option in Japanese lxc.container.conf(5)

Add the description of optional, create=file/dir for lxc.mount.entry.
This is update for commit f5b67b3.

Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: c8bfff0b05037741b74b39929a650687b518db25
      https://github.com/lxc/lxc/commit/c8bfff0b05037741b74b39929a650687b518db25
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M config/apparmor/profiles/lxc-default-with-nesting
    M config/templates/Makefile.am
    A config/templates/nesting.conf.in
    M configure.ac

  Log Message:
  -----------
  Add a nesting.conf which can be included to support nesting containers (v2)

Newer kernels have added a new restriction:  if /proc or /sys on the
host has files or non-empty directories which are over-mounted, and
there is no /proc which fully visible, then it assumes there is a
"security" reason for this.  It prevents anyone in a non-initial user
namespace from creating a new proc or sysfs mount.

To work around this, this patch adds a new 'nesting.conf' which can be
lxc.include'd from a container configuration file.  It adds a
non-overmounted mount of /proc and /sys under /dev/.lxc, so that the
kernel can see that we're not trying to *hide* things like /proc/uptime.
and /sys/devices/virtual/net.  If the host adds this to the config file
for container w1, then container w1 will support unprivileged child
containers.

The nesting.conf file also sets the apparmor profile to the with-nesting
variant, since that is required anyway.  This actually means that
supporting nesting isn't really more work than it used to be, just
different.  Instead of adding

lxc.aa_profile = lxc-container-default-with-nesting

you now just need to

lxc.include = /usr/share/lxc/config/nesting.conf

(Look, fewer characters :)

Finally, in order to maintain the current apparmor protections on
proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable.
We don't need to be able to use them, we're just showing the
kernel what's what.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 622f4ccae68081925cbd5f73ac68bb94d2581c09
      https://github.com/lxc/lxc/commit/622f4ccae68081925cbd5f73ac68bb94d2581c09
  Author: Christian Brauner <christianvanbrauner at gmail.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/lxc_info.c

  Log Message:
  -----------
  Fix reallocation calculation

Signed-off-by: Christian Brauner <christianvanbrauner at gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: 8c2e77337493eaa874b9bd08f1f186e04c414ce0
      https://github.com/lxc/lxc/commit/8c2e77337493eaa874b9bd08f1f186e04c414ce0
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  -----------
  overlayfs_clone: rsync the mounted rootfs

Closes #655

We can't rsync the delta as unpriv user because we can't create
the chardevs representing a whiteout.  We can however rsync the
rootfs and have the kernel create the whiteouts for us.

do_rsync: pass --delete

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 75b110ea46f36838945c30c4ef5c60fe3a1a0bf2
      https://github.com/lxc/lxc/commit/75b110ea46f36838945c30c4ef5c60fe3a1a0bf2
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/lxc-checkconfig.in

  Log Message:
  -----------
  lxc-checkconfig: add some more config options

Here's some more config options that we do actually require to be able to
boot containers.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: f72d69f63ad4218dc486f360a50169ab309a1f72
      https://github.com/lxc/lxc/commit/f72d69f63ad4218dc486f360a50169ab309a1f72
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/utils.c

  Log Message:
  -----------
  lxc_rmdir_onedev: don't fail if path doesn't exist

We're asked to delete it, don't fail if it doesn't exist.

This stops lxc-destroy from failing when the container isn't fully
built.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 1ae1239a0c6cd08ebbdb2c1bdd55af6288e8a46e
      https://github.com/lxc/lxc/commit/1ae1239a0c6cd08ebbdb2c1bdd55af6288e8a46e
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  -----------
  overlayfs_mount: create delta dir if it doesn't exist

(This *should* fix the lxc-test-snapshot testcase, but doesn't seem
to by itself.)

If it doesn't exist, we may as well start with an empty one.  This
is needed when creating an overlayfs snapshot.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: d6e179bbccc335127696e39f55a6e3bda68e652f
      https://github.com/lxc/lxc/commit/d6e179bbccc335127696e39f55a6e3bda68e652f
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  -----------
  ovl_rsync: make sure to umount

Otherwise the kernel will umount when it gets around to it, but
that on lxc_destroy we may race with it and fail the rmdir of
the overmounted (BUSY) rootfs.

This makes lxc-test-snapshot pass for me again.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 0402866cb60f0f69d4018b7069396cb0b4733c3e
      https://github.com/lxc/lxc/commit/0402866cb60f0f69d4018b7069396cb0b4733c3e
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M src/lxc/caps.c
    M src/lxc/caps.h
    M src/lxc/cgmanager.c
    M src/lxc/confile.c
    M src/lxc/genl.c
    M src/lxc/genl.h
    M src/lxc/list.h
    M src/lxc/lxc_attach.c
    M src/lxc/lxc_init.c
    M src/lxc/lxc_start.c
    M src/lxc/lxc_unshare.c
    M src/lxc/lxccontainer.c
    M src/lxc/lxccontainer.h
    M src/lxc/nl.c
    M src/lxc/nl.h
    M src/lxc/start.c
    M src/tests/concurrent.c
    M src/tests/reboot.c

  Log Message:
  -----------
  Fix indentation

I've noticed that a bunch of the code we've included over the past few
weeks has been using 8-spaces rather than tabs, making it all very hard
to read depending on your tabstop setting.

This commit attempts to revert all of that back to proper tabs and fix a
few more cases I've noticed here and there.

No functional changes are included in this commit.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/f9419eabe41b...0402866cb60f

More information about the lxc-devel mailing list