Age | Commit message (Collapse) | Author |
|
nspawn will overmount resolv.conf if it exists. Since e.g.
default install with yum doesn't create /etc/resolv.conf,
a container created with yum will not have network. This
seems undesirable, and since we overmount the file anyway,
let's create it too.
Also, mounting a read-write /etc/resolv.conf in the container
is treated as a failure, since it makes it possible to
modify hosts /etc/resolv.conf from inside the container.
|
|
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
|
|
This also makes sure we always detect an OS tree the same way, by
checking for /etc/os-release.
|
|
containers there
Containers will now carry a label (normally derived from the root
directory name, but configurable by the user), and the container's root
cgroup is /machine/<label>. This label is called "machine name", and can
cover both containers and VMs (as soon as libvirt also makes use of
/machine/).
libsystemd-login can be used to query the machine name from a process.
This patch also includes numerous clean-ups for the cgroup code.
|
|
Before, we would initialize many fields twice: first
by filling the structure with zeros, and then a second
time with the real values. We can let the compiler do
the job for us, avoiding one copy.
A downside of this patch is that text gets slightly
bigger. This is because all zero() calls are effectively
inlined:
$ size build/.libs/systemd
text data bss dec hex filename
before 897737 107300 2560 1007597 f5fed build/.libs/systemd
after 897873 107300 2560 1007733 f6075 build/.libs/systemd
… actually less than 1‰.
A few asserts that the parameter is not null had to be removed. I
don't think this changes much, because first, it is quite unlikely
for the assert to fail, and second, an immediate SEGV is almost as
good as an assert.
|
|
You can write much more than just one line with this call (and we
frequently do), so let's correct the naming.
|
|
They are not crucial, but they shouldn't fail.
|
|
|
|
|
|
|
|
|
|
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b.
It is not a mistake to pass args when -b is specified. They will simply
be passed on to the container's init.
The manpage needs fixing, that's true.
|
|
|
|
|
|
systemd-nspawn will now print the PID of the child.
An example showing how to enter the container is added
to the man page.
Support for nsenter without an explicit command was
added in https://github.com/karelzak/util-linux/commit/5758069
(post v2.22.2). So this example requires both a new kernel
and the latest util-linux.
|
|
Also split out some fileio functions to fileio.c and provide a SELinux
aware pendant in fileio-label.c
see https://bugzilla.redhat.com/show_bug.cgi?id=881577
|
|
stdout can be redirected to a regular file. Regular files don't support epoll.
nspawn failed with: "Failed to register fds in epoll: Operation not permitted".
If stdout does not support epoll, assume it's always writable.
|
|
Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.
To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.
In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
|
|
|
|
|
|
|
|
This allows invoking nspawn containers as systemd services, to create a
minimal, light-weight OS container solution for servers.
|
|
|
|
The documentation for --link-journal is also reworded.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=55213
|
|
|
|
symlink now
Create the right symlink if possible for /etc/localtime
|
|
6b2d0e8 introduced a memleak instead of fixing one.
Fix both.
|
|
|
|
|
|
This one actually clears up a (totally harmless) memleak.
|
|
Most things seem to function fine without /dev/shm, but it is expected
to be there (quoting linux/Documentation/filesystems/tmpfs.txt:
glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX
shared memory (shm_open, shm_unlink)).
Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir
/tmp/shm and chmod it. Mounting it separately has the advantage that
it can be easily remounted to change the quota.
|
|
|
|
Since RTCs are hardware devices and are very much shared resources we
should avoid to provide them in each container.
|
|
|
|
|
|
|
|
|
|
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and
/dev/core as symlinks to /proc on container creation. Except for
/dev/core, these are needed for shells like bash to be fully functional.
|
|
We want to make sure that everything from the host is also visible in
the sandbox.
|
|
|
|
|
|
also a number of minor fixups and bug fixes: spelling, oom errors
that didn't print errors, not properly forwarding error codes,
few more consistency issues, et cetera
|
|
glibc/glib both use "out of memory" consistantly so maybe we should
consider that instead of this.
Eliminates one string out of a number of binaries. Also fixes extra newline
in udev/scsi_id
|
|
|
|
host
|
|
|
|
test case
|
|
context
|
|
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
|