summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2013-03-07nspawn: create a separate devpts namespace for nspawn containersLennart Poettering
2013-02-27nspawn: environment would be truncated with TERM unsetZbigniew Jędrzejewski-Szmek
2013-02-25nspawn: add --bind= and --bind-ro= to bind mount host paths into the containerLennart Poettering
2013-02-25Revert "nspawn: catch config mistake of specifying -b and args"Michal Schmidt
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true.
2013-02-24nspawn: catch config mistake of specifying -b and argsZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: fail if unable to close pipeZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: print PID and show how to enter the namespaceZbigniew Jędrzejewski-Szmek
systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux.
2013-02-14honor SELinux labels, when creating and writing config filesHarald Hoyer
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-01-26nspawn: assume stdout is always writable if it does not support epollMichal Schmidt
stdout can be redirected to a regular file. Regular files don't support epoll. nspawn failed with: "Failed to register fds in epoll: Operation not permitted". If stdout does not support epoll, assume it's always writable.
2013-01-18nspawn: add audit caps to default set to keepLennart Poettering
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
2013-01-11nspawn: add --versionZbigniew Jędrzejewski-Szmek
2012-12-22nspawn: try to orderly shutdown container when receiving SIGTERMLennart Poettering
2012-12-22nspawn: allow passing socket activation fds through nspawnLennart Poettering
2012-12-22nspawn: allow nspawn to be invoked without ttyLennart Poettering
This allows invoking nspawn containers as systemd services, to create a minimal, light-weight OS container solution for servers.
2012-11-22nspawn: reset supplementary and main group id before entering nspawnLennart Poettering
2012-10-02nspawn: use automatic cleanup and provide debug infoZbigniew Jędrzejewski-Szmek
The documentation for --link-journal is also reworded.
2012-09-24log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct()Lennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=55213
2012-09-21nspawn: document why we don't check resolv.conf mount errorsLennart Poettering
2012-09-21nspawn: we can't overmount /etc/localtime anymore since it's usually a ↵Lennart Poettering
symlink now Create the right symlink if possible for /etc/localtime
2012-09-16nspawn: fix memleak introduced with automatic cleanupZbigniew Jędrzejewski-Szmek
6b2d0e8 introduced a memleak instead of fixing one. Fix both.
2012-09-16nspawn: use automatic cleanup for umaskZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: _cleanup_free_ moreZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: use automatic cleanupZbigniew Jędrzejewski-Szmek
This one actually clears up a (totally harmless) memleak.
2012-09-16nspawn: mount tmpfs on /dev/shmZbigniew Jędrzejewski-Szmek
Most things seem to function fine without /dev/shm, but it is expected to be there (quoting linux/Documentation/filesystems/tmpfs.txt: glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX shared memory (shm_open, shm_unlink)). Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir /tmp/shm and chmod it. Mounting it separately has the advantage that it can be easily remounted to change the quota.
2012-09-05nspawn: handle poweroff/reboot nicely in containersLennart Poettering
2012-09-05nspawn: don't provide /dev/rtc0 in the containerLennart Poettering
Since RTCs are hardware devices and are very much shared resources we should avoid to provide them in each container.
2012-09-05nspawn: generate a new randomized boot ID for each containerLennart Poettering
2012-09-05nspawn: if a file system comes pre-mounted, still do the read-only remountsLennart Poettering
2012-09-04nspawn: skip mounts if already mountedLennart Poettering
2012-09-04nspawn: mount a clean instance of sysfsLennart Poettering
2012-08-21nspawn: add /dev FD symlinks in container setupDave Reisner
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and /dev/core as symlinks to /proc on container creation. Except for /dev/core, these are needed for shells like bash to be fully functional.
2012-08-13nspawn,namespaces: make sure we recursively bind mount things inLennart Poettering
We want to make sure that everything from the host is also visible in the sandbox.
2012-08-13nspawn: unset a few unnecessary params to mount()Lennart Poettering
2012-08-13nspawn: inherit mounts from real root, don't propagate mounts to real rootLennart Poettering
2012-07-26log.h: new log_oom() -> int -ENOMEM, use itShawn Landden
also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera
2012-07-25use "Out of memory." consistantly (or with "\n")Shawn Landden
glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id
2012-07-19nspawn: generate proper error messages in the childLennart Poettering
2012-07-19nspawn: introduce new --link-journal= switch to link container journals into ↵Lennart Poettering
host
2012-07-16unit: introduce %s specifier for the user shellLennart Poettering
2012-06-28nspawn: introduce new --capabilities= flag and make use of it in the nspawn ↵Lennart Poettering
test case
2012-05-31mkdir: append _label to all mkdir() calls that explicitly set the selinux ↵Kay Sievers
context
2012-05-24main: add configuration option to alter capability bounding set for PID 1Lennart Poettering
This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway.
2012-05-08util: split-out path-util.[ch]Kay Sievers
2012-04-25nspawn: add --read-only switchLennart Poettering
2012-04-25nspawn: bind mount /etc/resolv.conf from the host by defaultLennart Poettering
2012-04-22nspawn: add --uuid= switch to allow setting the machine id for the containerLennart Poettering
2012-04-22nspawn: add -b switch to automatically look for an init binaryLennart Poettering
2012-04-22nspawn: be more careful when initializing the hostname from the directory nameLennart Poettering
2012-04-22nspawn: make /dev/kmsg unavailable in the container, but allow access to ↵Lennart Poettering
/proc/kmsg
2012-04-18remove MS_* which can not be combined with current kernel codeKay Sievers
MS_BIND|MS_MOVE can not be combined: do_mount() else if (flags & MS_BIND) do_loopback(&path, dev_name, flags & MS_REC); [...] else if (flags & MS_MOVE) do_move_mount(&path, dev_name); MS_REMOUNT|MS_UNBINDABLE can not be combined: do_mount() if (flags & MS_REMOUNT) do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, data_page); [...] else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) do_change_type(&path, flags);