3c957acf86
nspawn: reset supplementary and main group id before entering nspawn
2012-11-22 00:45:22 +01:00
27407a01c6
nspawn: use automatic cleanup and provide debug info
...
The documentation for --link-journal is also reworded.
2012-10-02 14:56:26 +02:00
963ddb917d
log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct()
...
https://bugs.freedesktop.org/show_bug.cgi?id=55213
2012-09-24 23:26:46 +02:00
77e63fafa5
nspawn: document why we don't check resolv.conf mount errors
2012-09-21 16:55:56 +02:00
d40361453b
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now
...
Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
89154bd4ac
nspawn: fix memleak introduced with automatic cleanup
...
6b2d0e8
2012-09-16 16:33:20 +02:00
25ea79fe07
nspawn: use automatic cleanup for umask
2012-09-16 16:20:09 +02:00
ed8b7a3ee5
nspawn: _cleanup_free_ more
2012-09-16 16:20:09 +02:00
6b2d0e85dc
nspawn: use automatic cleanup
...
This one actually clears up a (totally harmless) memleak.
2012-09-16 16:20:09 +02:00
ede89845a4
nspawn: mount tmpfs on /dev/shm
...
Most things seem to function fine without /dev/shm, but it is expected
to be there (quoting linux/Documentation/filesystems/tmpfs.txt:
glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX
shared memory (shm_open, shm_unlink)).
Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir
/tmp/shm and chmod it. Mounting it separately has the advantage that
it can be easily remounted to change the quota.
2012-09-16 16:20:09 +02:00
d87be9b0af
nspawn: handle poweroff/reboot nicely in containers
2012-09-05 16:23:41 -07:00
3eabccc46c
nspawn: don't provide /dev/rtc0 in the container
...
Since RTCs are hardware devices and are very much shared resources we
should avoid to provide them in each container.
2012-09-05 15:27:07 -07:00
04bc4a3f47
nspawn: generate a new randomized boot ID for each container
2012-09-05 14:39:16 -07:00
9c1c7f712d
nspawn: if a file system comes pre-mounted, still do the read-only remounts
2012-09-05 14:16:41 -07:00
014a9c777b
nspawn: skip mounts if already mounted
2012-09-04 16:33:13 -07:00
e65aec12ae
nspawn: mount a clean instance of sysfs
2012-09-04 16:32:43 -07:00
4fc9982cb0
nspawn: add /dev FD symlinks in container setup
...
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and
/dev/core as symlinks to /proc on container creation. Except for
/dev/core, these are needed for shells like bash to be fully functional.
2012-08-21 17:19:38 +02:00
1e41be2015
nspawn,namespaces: make sure we recursively bind mount things in
...
We want to make sure that everything from the host is also visible in
the sandbox.
2012-08-13 16:25:03 +02:00
b4c59701f8
nspawn: unset a few unnecessary params to mount()
2012-08-13 16:23:31 +02:00
6f67a45d8e
nspawn: inherit mounts from real root, don't propagate mounts to real root
2012-08-13 15:23:10 +02:00
0d0f0c50d3
log.h: new log_oom() -> int -ENOMEM, use it
...
also a number of minor fixups and bug fixes: spelling, oom errors
that didn't print errors, not properly forwarding error codes,
few more consistency issues, et cetera
2012-07-26 11:48:26 +02:00
669241a076
use "Out of memory." consistantly (or with "\n")
...
glibc/glib both use "out of memory" consistantly so maybe we should
consider that instead of this.
Eliminates one string out of a number of binaries. Also fixes extra newline
in udev/scsi_id
2012-07-25 11:23:57 +02:00
db7feb7e9c
nspawn: generate proper error messages in the child
2012-07-19 02:03:42 +02:00
57fb9fb56d
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
d05c5031ad
unit: introduce %s specifier for the user shell
2012-07-16 12:34:54 +02:00
5076f0ccfd
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 14:05:16 +02:00
d2e54fae5c
mkdir: append _label to all mkdir() calls that explicitly set the selinux context
2012-05-31 12:40:20 +02:00
ec8927ca59
main: add configuration option to alter capability bounding set for PID 1
...
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
2012-05-24 04:00:56 +02:00
9eb977db5b
util: split-out path-util.[ch]
2012-05-08 02:33:10 +02:00
bc2f673ec2
nspawn: add --read-only switch
2012-04-25 15:11:20 +02:00
2547bb414c
nspawn: bind mount /etc/resolv.conf from the host by default
2012-04-25 15:08:00 +02:00
144f0fc0c8
nspawn: add --uuid= switch to allow setting the machine id for the container
2012-04-22 14:48:21 +02:00
0f0dbc46cc
nspawn: add -b switch to automatically look for an init binary
2012-04-22 14:11:32 +02:00
3a74cea5e4
nspawn: be more careful when initializing the hostname from the directory name
2012-04-22 01:01:22 +02:00
f1e5dfe2c0
nspawn: make /dev/kmsg unavailable in the container, but allow access to /proc/kmsg
2012-04-22 00:32:53 +02:00
4d46fec56d
remove MS_* which can not be combined with current kernel code
...
MS_BIND|MS_MOVE can not be combined:
do_mount()
else if (flags & MS_BIND)
do_loopback(&path, dev_name, flags & MS_REC);
[...]
else if (flags & MS_MOVE)
do_move_mount(&path, dev_name);
MS_REMOUNT|MS_UNBINDABLE can not be combined:
do_mount()
if (flags & MS_REMOUNT)
do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page);
[...]
else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
do_change_type(&path, flags);
2012-04-18 13:37:45 +02:00
b562f5a57d
build-sys: add stub makefiles to all subdirs to ease development with emacs
2012-04-13 21:37:59 +02:00
9537eab070
nspawn: add missing include lines
2012-04-13 21:37:59 +02:00
e58a12770c
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 18:52:52 +02:00
dce818b390
move all tools to subdirs
2012-04-12 17:54:42 +02:00
Lennart Poettering