GitHub | 19 Dec 19:51 2014

[lxc/lxc] cd4c25: lxc-opensuse: default release changed to 13.1, as ...

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: cd4c250df41822c25b22303dea84ccd3c81a589b
      https://github.com/lxc/lxc/commit/cd4c250df41822c25b22303dea84ccd3c81a589b
  Author: Johannes Kastl <mail@...>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: default release changed to 13.1, as 12.3 reaches  end-of-life soon

Signed-off-by: Johannes Kastl <git@...>
Acked-by: Stéphane Graber <stgraber@...>

  Commit: 96c3d526640d1e1f15052d0c87796ba604d58b50
      https://github.com/lxc/lxc/commit/96c3d526640d1e1f15052d0c87796ba604d58b50
  Author: Johannes Kastl <git@...>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M templates/lxc-opensuse.in

  Log Message:
  -----------
  lxc-opensuse: Disable building openSUSE containers on 13.2/Tumbleweed only if wrong version of build
package is installed

(Continue reading)

GitHub | 19 Dec 19:45 2014

[lxc/lxc] 6166fa: seccomp: add rule to reject umount -f

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 6166fa6d83b23e86a24cc2ab5cfe780fccb0a709
      https://github.com/lxc/lxc/commit/6166fa6d83b23e86a24cc2ab5cfe780fccb0a709
  Author: Serge Hallyn <serge.hallyn@...>
  Date:   2014-12-19 (Fri, 19 Dec 2014)

  Changed paths:
    M config/templates/common.seccomp
    M src/lxc/seccomp.c

  Log Message:
  -----------
  seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn@...>
Acked-by: Stéphane Graber <stgraber@...>

  Commit: 218f99322c78b7788c0eff1997f95d135741e480
      https://github.com/lxc/lxc/commit/218f99322c78b7788c0eff1997f95d135741e480
  Author: Serge Hallyn <serge.hallyn@...>
  Date:   2014-12-19 (Fri, 19 Dec 2014)
(Continue reading)

Serge Hallyn | 19 Dec 19:22 2014

[PATCH 1/2] seccomp: add rule to reject umount -f

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 config/templates/common.seccomp |  1 +
 src/lxc/seccomp.c               | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/config/templates/common.seccomp b/config/templates/common.seccomp
index e6650ef..6f8eeba 100644
--- a/config/templates/common.seccomp
+++ b/config/templates/common.seccomp
 <at>  <at>  -1,5 +1,6  <at>  <at> 
 2
 blacklist
+reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1
 open_by_handle_at errno 1
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index dfdedf2..825d8a1 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
 <at>  <at>  -28,6 +28,7  <at>  <at> 
(Continue reading)

Kunal Kushwaha | 18 Dec 18:46 2014
Picon

[LXD] Default routes changes.

Hi,

With ref to LXD issue #114 

There are two ways to implement the default roots.

1. Initialize within code.
Instead of initializing with empty Config Structure at  

remotes := map[string]RemoteConfig{
"images": RemoteConfig{"https+registry://registry.linuxcontainers.org"},
"local":  RemoteConfig{"unix+lxd://var/lib/lxd/socket"},
}

defaultConfig := &Config{TestOption: "",
DefaultRemote: "",
Remotes:       remotes,
ListenAddr:    "80"}



2. Create a default config file.
While installation, a default config.yml can be create with default settings.

---
test-option:
default-remote:
remotes:
  images:
    addr: https+registry://registry.linuxcontainers.org
  local:
    addr: unix+lxd://var/lib/lxd/socket
listen-addr: 80


Which approach is better?


Regards,
Kunal Kushwaha


_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Serge Hallyn | 18 Dec 18:23 2014

[PATCH 1/1] apparmor: prevent force umount

it will cause hangup of the fuse fs on host.

Note we could limit this to fuse filesystems only, but I can't see a
good reason to allow force umount from container at all at the moment.

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 config/apparmor/abstractions/container-base    | 3 +++
 config/apparmor/abstractions/container-base.in | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 2d5fd7a..4faed77 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
 <at>  <at>  -3,6 +3,9  <at>  <at> 
   file,
   umount,

+  # prevent containers from causing nfs/fuse hangup on host
+  deny umount options=(force),
+
   # dbus, signal, ptrace and unix are only supported by recent apparmor
   # versions. Comment them if the apparmor parser doesn't recognize them.

diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2065735..56f4da9 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
 <at>  <at>  -3,6 +3,9  <at>  <at> 
   file,
   umount,

+  # prevent containers from causing nfs/fuse hangup on host
+  deny umount options=(force),
+
   # dbus, signal, ptrace and unix are only supported by recent apparmor
   # versions. Comment them if the apparmor parser doesn't recognize them.

--

-- 
2.1.0

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Till Walter | 16 Dec 10:36 2014
Picon

Valid Container Names/Identifiers

Dear LXC Developers,

the manual page of lxc-create states that "The container identifier
format is an alphanumeric string". Yet besides [A-Za-z0-9] other
characters like underscore are also fine.
I had a brief look at the source but did not find any check, e.g.,
using a regex. Is there any check at all? What are valid container
identifiers/names?
I am asking because I am using the official python bindings to write a
little utility and want to avoid container naming problems that may
arise.

Best regards,

BB
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Johannes Kastl | 12 Dec 21:51 2014
Picon

[PATCH] lxc-opensuse default release changed to 13.1, as 12.3 reaches end-of-life soon


Hi everyone,

as openSUSE 12.3 reaches end-of-life soon, I added a patch that
changes the default release in the lxc-opensuse template to 13.1. This
patch is against master, I'll send a patch against stable-1.0 soon.

Here is the 'Advance discontinuation notice for openSUSE 12.3':
> http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00005.html

I
> 
do not know if it's possible to have this in 1.1 but it would be
nice. As it's to late for 1.0.7 already...

I'm looking forward to any comments, hints and such.

Regards,
Johannes
--

-- 
Insane people throw computers out of windows, sane people...
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Johannes Kastl | 8 Dec 20:51 2014
Picon

Building lxc 1.1 from spec: configure and automake


Hi everyone,

as 1.1 seems to be getting nearer, I wanted to start building packages
for openSUSE. First thing I ran into is the missing configure, so one
has to run autogen.sh first. (This is different on 1.0.x).

Unfortunately, this does not work (in my tests) with the upstream
spec, at least not out of the box. I found a hack that defines
%_configure to run autogen.sh, but then configure is not called correctly.

How could this be handled in the spec?

I also had to add automake as BuildRequires, otherwise autogen.sh does
not find aclocal...

Regards,
Johannes
--

-- 
I still maintain the point that designing a monolithic kernel in 1991
is a fundamental error. Be thankful you are not my student. You would
not get a high grade for such a design.
(Andrew Tanenbaum to Linus Torvalds)
Travis CI | 5 Dec 19:52 2014

Passed: lxc/lxc#782 (lxc-1.0.7 - 1c5ccb9)

lxc / lxc (lxc-1.0.7)
Build #782 passed.
6 minutes and 18 seconds
Stéphane Graber 1c5ccb9 Changeset →
  change version to 1.0.7 in configure.ac

Signed-off-by: Stéphane Graber <stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>

Want to know about upcoming build environment updates?

Would you like to stay up-to-date with the upcoming Travis CI build environment updates? We set up a mailing list for you! Sign up here.

Would you like to test your private code?

Travis Pro could be your new best friend!

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
GitHub | 5 Dec 19:37 2014

[lxc/lxc] 1c5ccb: change version to 1.0.7 in configure.ac

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: 1c5ccb98a75b41caa135465c5df5f4d1f7a75759
      https://github.com/lxc/lxc/commit/1c5ccb98a75b41caa135465c5df5f4d1f7a75759
  Author: Stéphane Graber <stgraber@...>
  Date:   2014-12-05 (Fri, 05 Dec 2014)

  Changed paths:
    M configure.ac

  Log Message:
  -----------
  change version to 1.0.7 in configure.ac

Signed-off-by: Stéphane Graber <stgraber@...>

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
GitHub | 5 Dec 19:38 2014

[lxc/lxc]

  Branch: refs/tags/lxc-1.0.7
  Home:   https://github.com/lxc/lxc
_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Gmane