Age | Commit message (Collapse) | Author | |
---|---|---|---|
2013-03-07 | nspawn: create a separate devpts namespace for nspawn containers | Lennart Poettering | |
2013-02-27 | nspawn: environment would be truncated with TERM unset | Zbigniew Jędrzejewski-Szmek | |
2013-02-25 | nspawn: add --bind= and --bind-ro= to bind mount host paths into the container | Lennart Poettering | |
2013-02-25 | Revert "nspawn: catch config mistake of specifying -b and args" | Michal Schmidt | |
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true. | |||
2013-02-24 | nspawn: catch config mistake of specifying -b and args | Zbigniew Jędrzejewski-Szmek | |
2013-02-14 | nspawn: fail if unable to close pipe | Zbigniew Jędrzejewski-Szmek | |
2013-02-14 | nspawn: print PID and show how to enter the namespace | Zbigniew Jędrzejewski-Szmek | |
systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux. | |||
2013-02-14 | honor SELinux labels, when creating and writing config files | Harald Hoyer | |
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577 | |||
2013-01-26 | nspawn: assume stdout is always writable if it does not support epoll | Michal Schmidt | |
stdout can be redirected to a regular file. Regular files don't support epoll. nspawn failed with: "Failed to register fds in epoll: Operation not permitted". If stdout does not support epoll, assume it's always writable. | |||
2013-01-18 | nspawn: add audit caps to default set to keep | Lennart Poettering | |
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway. | |||
2013-01-11 | nspawn: add --version | Zbigniew Jędrzejewski-Szmek | |
2012-12-22 | nspawn: try to orderly shutdown container when receiving SIGTERM | Lennart Poettering | |
2012-12-22 | nspawn: allow passing socket activation fds through nspawn | Lennart Poettering | |
2012-12-22 | nspawn: allow nspawn to be invoked without tty | Lennart Poettering | |
This allows invoking nspawn containers as systemd services, to create a minimal, light-weight OS container solution for servers. | |||
2012-11-22 | nspawn: reset supplementary and main group id before entering nspawn | Lennart Poettering | |
2012-10-02 | nspawn: use automatic cleanup and provide debug info | Zbigniew Jędrzejewski-Szmek | |
The documentation for --link-journal is also reworded. | |||
2012-09-24 | log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct() | Lennart Poettering | |
https://bugs.freedesktop.org/show_bug.cgi?id=55213 | |||
2012-09-21 | nspawn: document why we don't check resolv.conf mount errors | Lennart Poettering | |
2012-09-21 | nspawn: we can't overmount /etc/localtime anymore since it's usually a ↵ | Lennart Poettering | |
symlink now Create the right symlink if possible for /etc/localtime | |||
2012-09-16 | nspawn: fix memleak introduced with automatic cleanup | Zbigniew Jędrzejewski-Szmek | |
6b2d0e8 introduced a memleak instead of fixing one. Fix both. | |||
2012-09-16 | nspawn: use automatic cleanup for umask | Zbigniew Jędrzejewski-Szmek | |
2012-09-16 | nspawn: _cleanup_free_ more | Zbigniew Jędrzejewski-Szmek | |
2012-09-16 | nspawn: use automatic cleanup | Zbigniew Jędrzejewski-Szmek | |
This one actually clears up a (totally harmless) memleak. | |||
2012-09-16 | nspawn: mount tmpfs on /dev/shm | Zbigniew Jędrzejewski-Szmek | |
Most things seem to function fine without /dev/shm, but it is expected to be there (quoting linux/Documentation/filesystems/tmpfs.txt: glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX shared memory (shm_open, shm_unlink)). Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir /tmp/shm and chmod it. Mounting it separately has the advantage that it can be easily remounted to change the quota. | |||
2012-09-05 | nspawn: handle poweroff/reboot nicely in containers | Lennart Poettering | |
2012-09-05 | nspawn: don't provide /dev/rtc0 in the container | Lennart Poettering | |
Since RTCs are hardware devices and are very much shared resources we should avoid to provide them in each container. | |||
2012-09-05 | nspawn: generate a new randomized boot ID for each container | Lennart Poettering | |
2012-09-05 | nspawn: if a file system comes pre-mounted, still do the read-only remounts | Lennart Poettering | |
2012-09-04 | nspawn: skip mounts if already mounted | Lennart Poettering | |
2012-09-04 | nspawn: mount a clean instance of sysfs | Lennart Poettering | |
2012-08-21 | nspawn: add /dev FD symlinks in container setup | Dave Reisner | |
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and /dev/core as symlinks to /proc on container creation. Except for /dev/core, these are needed for shells like bash to be fully functional. | |||
2012-08-13 | nspawn,namespaces: make sure we recursively bind mount things in | Lennart Poettering | |
We want to make sure that everything from the host is also visible in the sandbox. | |||
2012-08-13 | nspawn: unset a few unnecessary params to mount() | Lennart Poettering | |
2012-08-13 | nspawn: inherit mounts from real root, don't propagate mounts to real root | Lennart Poettering | |
2012-07-26 | log.h: new log_oom() -> int -ENOMEM, use it | Shawn Landden | |
also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera | |||
2012-07-25 | use "Out of memory." consistantly (or with "\n") | Shawn Landden | |
glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id | |||
2012-07-19 | nspawn: generate proper error messages in the child | Lennart Poettering | |
2012-07-19 | nspawn: introduce new --link-journal= switch to link container journals into ↵ | Lennart Poettering | |
host | |||
2012-07-16 | unit: introduce %s specifier for the user shell | Lennart Poettering | |
2012-06-28 | nspawn: introduce new --capabilities= flag and make use of it in the nspawn ↵ | Lennart Poettering | |
test case | |||
2012-05-31 | mkdir: append _label to all mkdir() calls that explicitly set the selinux ↵ | Kay Sievers | |
context | |||
2012-05-24 | main: add configuration option to alter capability bounding set for PID 1 | Lennart Poettering | |
This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway. | |||
2012-05-08 | util: split-out path-util.[ch] | Kay Sievers | |
2012-04-25 | nspawn: add --read-only switch | Lennart Poettering | |
2012-04-25 | nspawn: bind mount /etc/resolv.conf from the host by default | Lennart Poettering | |
2012-04-22 | nspawn: add --uuid= switch to allow setting the machine id for the container | Lennart Poettering | |
2012-04-22 | nspawn: add -b switch to automatically look for an init binary | Lennart Poettering | |
2012-04-22 | nspawn: be more careful when initializing the hostname from the directory name | Lennart Poettering | |
2012-04-22 | nspawn: make /dev/kmsg unavailable in the container, but allow access to ↵ | Lennart Poettering | |
/proc/kmsg | |||
2012-04-18 | remove MS_* which can not be combined with current kernel code | Kay Sievers | |
MS_BIND|MS_MOVE can not be combined: do_mount() else if (flags & MS_BIND) do_loopback(&path, dev_name, flags & MS_REC); [...] else if (flags & MS_MOVE) do_move_mount(&path, dev_name); MS_REMOUNT|MS_UNBINDABLE can not be combined: do_mount() if (flags & MS_REMOUNT) do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page); [...] else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) do_change_type(&path, flags); |