summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2014-02-24nspawn: make use of the devices cgroup controller by defaultLennart Poettering
2014-02-21nspawn: when adding a veth interface to a bridge, use the "vb-" rather than ↵Lennart Poettering
"ve-" interface name prefix This way we can recognize the interfaces later on to apply different host-side configuration to them.
2014-02-20api: in constructor function calls, always put the returned object pointer ↵Lennart Poettering
first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-19make gcc shut upLennart Poettering
If -flto is used then gcc will generate a lot more warnings than before, among them a number of use-without-initialization warnings. Most of them without are false positives, but let's make them go away, because it doesn't really matter.
2014-02-19core: add Personality= option for units to set the personality for spawned ↵Lennart Poettering
processes
2014-02-18nspawn: add new --personality= switch to make it easier to run 32bit ↵Lennart Poettering
containers on a 64bit host
2014-02-18nspawn: x86 is special with its socketcall() semantics, be permissive in the ↵Lennart Poettering
seccomp setup
2014-02-18seccomp: add helper call to add all secondary archs to a seccomp filterLennart Poettering
And make use of it where appropriate for executing services and for nspawn.
2014-02-18nspawn: allow 32-bit chroots from 64-bit hostsDave Reisner
Arch Linux uses nspawn as a container for building packages and needs to be able to start a 32bit chroot from a 64bit host. 24fb11120756 disrupted this feature when seccomp handling was added.
2014-02-18sd-rtnl-message: store reference to the bus in the messageTom Gundersen
This mimics the sd-bus api, as we may need it in the future.
2014-02-17nspawn: netns_fd can be removed nowLennart Poettering
2014-02-16nspawn: typo fix in helpThomas Hindoe Paaboel Andersen
2014-02-16nspawn: add new --network-bridge= switchTom Gundersen
This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-15sd-rtnl: always include linux/rtnetlink.hTom Gundersen
2014-02-15sd-rtnl: message_open_container - don't take a 'size' argumentTom Gundersen
We can always know the size based on the type, so let's do this inside the library.
2014-02-14nspawn: if we don't find bash, try shLennart Poettering
2014-02-14nspawn: don't accept just any tree to executeLennart Poettering
When invoked without -D in an arbitrary directory we should not try to execute anything, make some validity checks first.
2014-02-13nspawn: make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOTSUPPORT in ↵Lennart Poettering
containers The kernel still doesn't support audit in containers, so let's make use of seccomp and simply turn it off entirely. We can get rid of this big as soon as the kernel is fixed again.
2014-02-13nspawn: add new --network-veth switch to add a virtual ethernet link to the hostLennart Poettering
2014-02-13nspawn: check with udev before we take possession of an interfaceLennart Poettering
2014-02-13nspawn: no need to subscribe to netlink messages if we just want to execute ↵Lennart Poettering
one operation
2014-02-13nspawn: --private-network should imply CAP_NET_ADMINLennart Poettering
2014-02-13rtnl: rename constructors from the form sd_rtnl_xxx_yyy_new() to ↵Lennart Poettering
sd_rtnl_xxx_new_yyy() So far we followed the rule to always indicate the "flavour" of constructors after the "_new_" or "_open_" in the function name, so let's keep things in sync here for rtnl and do the same.
2014-02-13rtnl: drop "sd_" prefix from cleanup macrosLennart Poettering
The "sd_" prefix is supposed to be used on exported symbols only, and not in the middle of names. Let's drop it from the cleanup macros hence, to make things simpler. The bus cleanup macros don't carry the "sd_" either, so this brings the APIs a bit nearer.
2014-02-13nspawn: add new --network-interface= switch to move an existing interface ↵Lennart Poettering
into the container
2014-02-13nspawn: introduce --capability=all for retaining all capabilitiesLennart Poettering
2014-02-12nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use ↵Lennart Poettering
of this
2014-02-11machined: optionally, allow registration of pre-existing units (scopesLennart Poettering
or services) as machine with machined
2014-02-11nspawn: add --register=yes|no switch to optionally disable registration of ↵Lennart Poettering
the container with machined
2014-02-10nspawn: add new --share-system switch to run a container without PID/UTS/IPC ↵Lennart Poettering
namespacing
2014-02-10nspawn,man: use a common vocabulary when referring to selinux security contextsLennart Poettering
Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10nspawn: require /etc/os-release only for initVincent Batts
/etc/os-release is expected for the case for booting a full system, and need not be required for thin container execution.
2014-02-07nspawn: rename --file-label to --apifs-label since it's really just about ↵Lennart Poettering
the API file systems, nothing else
2014-02-06nspawn: fix HAVE_SELINUX ifdefTom Gundersen
2014-02-06nspawn: add --quiet switch for turning off any output noiseLennart Poettering
2014-02-05nspawn: always use default busLennart Poettering
2014-02-04nspawn: various fixes in selinux hookupLennart Poettering
- As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string
2014-02-04Add SELinux support to systemd-nspawnDan Walsh
This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-02-01bus: update kdbus.h (ABI break)Kay Sievers
2014-01-29nspawn: fix reboot event fd reuseLennart Poettering
2014-01-20exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-09nspawn: do not invoke RegisterMachine on machined from inside the new PID ↵Lennart Poettering
namespace On kdbus user credentials are not translated across PID namespaces, but simply invalidated if sender and receiver namespaces don't match. This makes it impossible to properly authenticate requests from different PID namespaces (which is probably a good thing). Hence, register the machine in the parent and not the client and properly synchronize this.
2013-12-20DEFAULT_PATH_SPLIT_USR macroShawn Landden
2013-12-13nspawn: add new --setenv= switch to set an environment variable for the ↵Lennart Poettering
container to spawn
2013-12-11nspawn: complain and continue if machine has same idZbigniew Jędrzejewski-Szmek
If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12bus: connect directly via kdbus in sd_bus_open_system_container()Lennart Poettering
kdbus fortunately exposes the container's busses in the host fs, hence we can access it directly instead of doing the namespacing dance.
2013-12-06Get rid of our reimplementation of basenameZbigniew Jędrzejewski-Szmek
The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
2013-12-06nspawn: fix buggy mount_binds, now works for bind-mounted filesShawn Landden
2013-11-30nspawn: set up a kdbus namespace when starting a containerLennart Poettering
2013-11-26nspawn: improve error message when we cannot resolve the root directory argumentLennart Poettering