Age | Commit message (Collapse) | Author |
|
containers on a 64bit host
|
|
It should match on the driver of the parent device.
|
|
And make use of it where appropriate for executing services and for
nspawn.
|
|
|
|
|
|
|
|
Also enforce that we don't allow setting the Broadcast for IPv6 addresses.
|
|
|
|
|
|
Either it is shared across threads, or it is per-thread: decide.
Reading the source code, I see a thread_local identifier, so that's
that. But that does not yet preclude that a program may pass around
the pointer returned from the function among its own threads.
Do a best effort at saying so.
|
|
Shift the asterisks in the documentation's prototypes such that they
are consistent among each other. Use the right side to match source code.
|
|
|
|
I suggest the following changes to improve the way the text reads
("flows").
|
|
Issues fixed:
* missing words required by grammar
* duplicated or extraneous words
* inappropriate forms (e.g. singular/plural), and declinations
* orthographic misspellings
|
|
Resolve spotted issues related to missing or extraneous commas, dashes.
|
|
|
|
AS_HELP_STRING has been observed to expand such that the surround
function complains; play it safe and consistenly quote the example
code throughout.
|
|
|
|
This reverts commit 29e254f7f093c07a1ec7e845e60203357f585235.
Conflicts:
man/systemd.service.xml
|
|
|
|
This adds the host side of the veth link to the given bridge.
Also refactor the creation of the veth interfaces a bit to set it up
from the host rather than the container. This simplifies the addition
to the bridge, but otherwise the behavior is unchanged.
|
|
Several sections of the man pages included intermixed tabs and spaces;
this commit replaces all tabs with spaces.
|
|
Actually 'STDOUT' is something that doesn't appear anywhere: in the
stdlib we have 'stdin', and there's only the constant STDOUT_FILENO,
so there's no reason to use capitals. When refering to code,
STDOUT/STDOUT/STDERR are replaced with stdin/stdout/stderr, and in
other places they are replaced with normal phrases like standard
output, etc.
|
|
* standardize capitalization of STDIN, STDOUT, and STDERR
* reword some sentences for clarity
* reflow some very long lines to be shorter than ~80 characters
* add some missing <literal>, <constant>, <varname>, <option>, and <filename> tags
|
|
actual sources, so that we don't get spurious newlines in the man page output
|
|
The behavior of this is a little cryptic in that $MAINPID must exit as
a direct result of receiving a signal in order for a listed signal to
be considered a success condition.
|
|
|
|
|
|
into the container
|
|
|
|
This is useful to prohibit execution of non-native processes on systems,
for example 32bit binaries on 64bit systems, this lowering the attack
service on incorrect syscall and ioctl 32→64bit mappings.
|
|
architecture support for system calls
Also, turn system call filter bus properties into complex types instead
of concatenated strings.
|
|
- Allow configuration of an errno error to return from blacklisted
syscalls, instead of immediately terminating a process.
- Fix parsing logic when libseccomp support is turned off
- Only keep the actual syscall set in the ExecContext, and generate the
string version only on demand.
|
|
|
|
I only tested with python-lxml. I'm not sure if xml.etree should be
deprecated.
|
|
This allows customization of the arguments used by less. The main
motivation is that some folks might not like having --no-init on every
invocation of less.
|
|
of this
|
|
|
|
or services) as machine with machined
|
|
the container with machined
|
|
Also limit the range of vlan ids. Other implementations and
documentation use the ranges {0,1}-{4094,4095}, but we use
the one accepted by the kernel: 0-4094.
Reported-by: Oleksii Shevchuk <alxchk@gmail.com>
|
|
namespacing
|
|
Let's always call the security labels the same way:
SMACK: "Smack Label"
SELINUX: "SELinux Security Context"
And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
|
|
-, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
|
|
This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
|
|
http://bugs.debian.org/738316
|
|
http://bugs.debian.org/738316
|
|
the API file systems, nothing else
|
|
Both in the configuration file format and everywhere else in the code.
|
|
|