[lxc-devel] [lxc/lxc] 673a28: fix signal sending in lxc.init
GitHub
noreply at github.com
Fri Apr 20 09:23:56 UTC 2018
Branch: refs/heads/stable-3.0
Home: https://github.com/lxc/lxc
Commit: 673a28fa0e3e942e169fc17ea7b0b10a5137930f
https://github.com/lxc/lxc/commit/673a28fa0e3e942e169fc17ea7b0b10a5137930f
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
fix signal sending in lxc.init
The problem here is that these two clauses were ordered backwards: we first
check if the signal came from not the init pid, and if it did, then we give
a notice and return. The comment notes that this is intended to protect
against SIGCHLD, but we don't in fact know if the signal is a SIGCHLD yet,
because that's tested in the next hunk.
The symptom is that if I e.g. send SIGTERM from the outside world to the
container init, it ignores it and gives this notice. If we re-order these
clauses, it forwards non SIGCHLD signals, and ignores SIGCHLD signals from
things that aren't the real container process.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: c46adf566d3f089ab2f2f7182317a9b90b298498
https://github.com/lxc/lxc/commit/c46adf566d3f089ab2f2f7182317a9b90b298498
Author: Guido Jäkel <g.jaekel at dnb.de>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
rootfs pinning: On NFS, make file hidden but don't delete it
On NFS, avoid random names of the root pin file due to "NFS silly renaming" but use a fixed hidden name instead.
Commit: 55263432dd24ffbdfb73e087c2584aa082c92060
https://github.com/lxc/lxc/commit/55263432dd24ffbdfb73e087c2584aa082c92060
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: fix temporary file creation
lxc_make_tmpfile() uses mkstemp() internally, and thus expects the
template to contain 'XXXXXX' and be writable.
Signed-off-by: Thomas Moschny <thomas.moschny at gmx.de>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 022143c440395fff3467da72bc7d137c9b02f276
https://github.com/lxc/lxc/commit/022143c440395fff3467da72bc7d137c9b02f276
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/ringbuf.c
Log Message:
-----------
ringbuf: fix temporary file creation
lxc_make_tmpfile() uses mkstemp() internally, and thus expects the
template to contain 'XXXXXX' and be writable.
Signed-off-by: Thomas Moschny <thomas.moschny at gmx.de>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: dd12412a53a7a3cf3b260acc4646b4a96d5374b7
https://github.com/lxc/lxc/commit/dd12412a53a7a3cf3b260acc4646b4a96d5374b7
Author: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M configure.ac
M src/lxc/Makefile.am
Log Message:
-----------
Fix compilation with static libcap and shared gnutls
Commit c06ed219c47098f34485d408410b6ecc94a40877 has broken
compilation with a static libcap and a shared gnutls.
This results in a build failure on init_lxc_static if gnutls is
a shared library as init_lxc_static is built with -all-static option
(see src/lxc/Makefile.am) and AC_CHECK_LIB adds gnutls to LIBS.
This commit fix the issue by removing default behavior of AC_CHECK_LIB
and handling manually GNUTLS_LIBS and HAVE_LIBGNUTLS
Fixes:
- http://autobuild.buildroot.net/results/b655d6853c25a195df28d91512b3ffb6c654fc90
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Commit: d26615b68100960108ce4985ad47d8e5627239ab
https://github.com/lxc/lxc/commit/d26615b68100960108ce4985ad47d8e5627239ab
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: always drop supplementary groups
Closes #1704.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 4fc43a4905cccdd9d3e9e90f7e6582e29d926600
https://github.com/lxc/lxc/commit/4fc43a4905cccdd9d3e9e90f7e6582e29d926600
Author: C0deAi <benjamin.bales at assrc.us>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/cmd/lxc_init.c
Log Message:
-----------
lxc init: remove dead code
Value stored is never read.
Closes #2262.
Signed-off-by: C0deAi <techsupport at mycode.ai>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 21dae50a86d17f70fa7a3b3c4602c950d141b851
https://github.com/lxc/lxc/commit/21dae50a86d17f70fa7a3b3c4602c950d141b851
Author: C0deAi <benjamin.bales at assrc.us>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/storage/rsync.c
Log Message:
-----------
storage/rsync: free memory on error
Closes #2262.
Signed-off-by: C0deAi <techsupport at mycode.ai>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 7292d5996753261d5ebafe0a64f9ea2b8a104c41
https://github.com/lxc/lxc/commit/7292d5996753261d5ebafe0a64f9ea2b8a104c41
Author: C0deAi <benjamin.bales at assrc.us>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/tools/tool_utils.c
Log Message:
-----------
tools/utils: free memory on error
Closes #2262.
Signed-off-by: C0deAi <techsupport at mycode.ai>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 547199c2774537357d2ca4f4755d02bed028ca10
https://github.com/lxc/lxc/commit/547199c2774537357d2ca4f4755d02bed028ca10
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/cmd/lxc_init.c
Log Message:
-----------
lxc init: coding style
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 1223bf7abd6b9d158bec1714ee01dde0a1a5d316
https://github.com/lxc/lxc/commit/1223bf7abd6b9d158bec1714ee01dde0a1a5d316
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/utils.h
Log Message:
-----------
utils: define __NR_setns if missing on old glibcs
Closes #2248.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 315350e30118619c6fea9a7152da19c5256cf2b8
https://github.com/lxc/lxc/commit/315350e30118619c6fea9a7152da19c5256cf2b8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: try to always drop supplementary groups
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: d0e5f7fead72e11712d0acfd91b25f72d28cf0c5
https://github.com/lxc/lxc/commit/d0e5f7fead72e11712d0acfd91b25f72d28cf0c5
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: ret-try devpts mount without gid=5 on error
We should always default to mounting devpts with gid=5 but we should fallback
to mounting without gid=5. This let's us cover use-cases such as container
started with only a single mapping e.g.:
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
Closes #2257.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 0705862d8f26205877ad16c795c0955b17d48e3d
https://github.com/lxc/lxc/commit/0705862d8f26205877ad16c795c0955b17d48e3d
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/conf.c
M src/lxc/execute.c
M src/lxc/start.h
Log Message:
-----------
execute: fix app containers without root mapping
When starting application containers without a mapping for container root are
started, a dummy bind-mount target for lxc-init needs to be created. This will
not always work directly under "/" when e.g. permissions are missing due to the
ownership and/or mode of "/". We can try to work around this by using the
P_tmpdir as defined in POSIX which should usually land us in /tmp where
basically everyone can create files.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 19e75fa049061daee147c46928e49e5669e62e03
https://github.com/lxc/lxc/commit/19e75fa049061daee147c46928e49e5669e62e03
Author: Jakub Skokan <jakub.skokan at havefun.cz>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: fix net type checks in run_script_argv()
Signed-off-by: Jakub Skokan <jakub.skokan at havefun.cz>
Commit: babd8f1dd2df6d894de723a2229a418a900d35eb
https://github.com/lxc/lxc/commit/babd8f1dd2df6d894de723a2229a418a900d35eb
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: handle arch inversion
This commit deals with different kernel and userspace layouts and nesting. Here
are three examples:
1. 64bit kernel and 64bit userspace running 32bit containers
2. 64bit kernel and 32bit userspace running 64bit containers
3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers
Two things to lookout for:
1. The compat arch that is detected might have already been present in the main
context. So check that it actually hasn't been and only then add it.
2. The contexts don't need merging if the architectures are the same and also can't be.
With these changes I can run all crazy/weird combinations with proper seccomp
isolation.
Closes #654.
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366
Reported-by: Chirantan Ekbote <chirantan at chromium.org>
Reported-by: Sonny Rao <sonnyrao at chromium.org>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: afc8fc3db59aacb9f6a503064f265394500c037f
https://github.com/lxc/lxc/commit/afc8fc3db59aacb9f6a503064f265394500c037f
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: handle all errors
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 64be1522a26ea10b7efe1b0e5e4614b5504a4a66
https://github.com/lxc/lxc/commit/64be1522a26ea10b7efe1b0e5e4614b5504a4a66
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: cleanup compat architecture handling
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: d2897a42e16df3cb2b0723f04e91e3ff2601242a
https://github.com/lxc/lxc/commit/d2897a42e16df3cb2b0723f04e91e3ff2601242a
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: improve logging
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 4067cf38020e84bf3b5a790a86182e315c07d5f5
https://github.com/lxc/lxc/commit/4067cf38020e84bf3b5a790a86182e315c07d5f5
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M doc/lxc-execute.sgml.in
M src/lxc/tools/lxc_execute.c
Log Message:
-----------
tools: document -d/--daemonize for lxc-execute
Closes #2280.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 5c65ad370b1c7b2efeb1eece22c5def334980537
https://github.com/lxc/lxc/commit/5c65ad370b1c7b2efeb1eece22c5def334980537
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
M src/tests/api_reboot.c
Log Message:
-----------
seccomp: non-functional changes
Rename "compat_ctx" to "contexts" and "compat_arch" to "architectures".
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 603454726d251f6353d4cdf7cf48be1a0f1e0a47
https://github.com/lxc/lxc/commit/603454726d251f6353d4cdf7cf48be1a0f1e0a47
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: handle arch inversion II
LXC generates and loads the seccomp-bpf filter in the host/container which
spawn the new container. In other words, userspace N is responsible for
generating and loading the seccomp-bpf filter which restricts userspace N + 1.
Assume 64bit kernel and 32bit userspace running a 64bit container. In this case
the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit
userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter,
or adjusts the default behavior for "BAD_ARCH", *all* 64-bit x86 syscalls will
be blocked.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Suggested-by: Paul Moore <paul at paul-moore.com>
Commit: d0adf63a044d3490bf95e320282189d245e09c27
https://github.com/lxc/lxc/commit/d0adf63a044d3490bf95e320282189d245e09c27
Author: Felix Abecassis <fabecassis at nvidia.com>
Date: 2018-04-20 (Fri, 20 Apr 2018)
Changed paths:
M templates/lxc-oci.in
Log Message:
-----------
lxc-oci: mkdir the download directory
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
Compare: https://github.com/lxc/lxc/compare/3a227957f3fa...d0adf63a044d
More information about the lxc-devel
mailing list