summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2013-04-18nspawn: create empty /etc/resolv.conf if necessaryZbigniew Jędrzejewski-Szmek
nspawn will overmount resolv.conf if it exists. Since e.g. default install with yum doesn't create /etc/resolv.conf, a container created with yum will not have network. This seems undesirable, and since we overmount the file anyway, let's create it too. Also, mounting a read-write /etc/resolv.conf in the container is treated as a failure, since it makes it possible to modify hosts /etc/resolv.conf from inside the container.
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-16path-util: unify code for detecting OS treesLennart Poettering
This also makes sure we always detect an OS tree the same way, by checking for /etc/os-release.
2013-04-16nspawn: introduce the new /machine/ tree in the cgroup tree and move ↵Lennart Poettering
containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-05Use initalization instead of explicit zeroingZbigniew Jędrzejewski-Szmek
Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-04-03util: rename write_one_line_file() to write_string_file()Lennart Poettering
You can write much more than just one line with this call (and we frequently do), so let's correct the naming.
2013-03-31nspawn, machine-id-setup: warn if read-only mount call failsZbigniew Jędrzejewski-Szmek
They are not crucial, but they shouldn't fail.
2013-03-15nspawn: don't make assumptions about the size of pid_tLennart Poettering
2013-03-07nspawn: create a separate devpts namespace for nspawn containersLennart Poettering
2013-02-27nspawn: environment would be truncated with TERM unsetZbigniew Jędrzejewski-Szmek
2013-02-25nspawn: add --bind= and --bind-ro= to bind mount host paths into the containerLennart Poettering
2013-02-25Revert "nspawn: catch config mistake of specifying -b and args"Michal Schmidt
This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true.
2013-02-24nspawn: catch config mistake of specifying -b and argsZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: fail if unable to close pipeZbigniew Jędrzejewski-Szmek
2013-02-14nspawn: print PID and show how to enter the namespaceZbigniew Jędrzejewski-Szmek
systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux.
2013-02-14honor SELinux labels, when creating and writing config filesHarald Hoyer
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-01-26nspawn: assume stdout is always writable if it does not support epollMichal Schmidt
stdout can be redirected to a regular file. Regular files don't support epoll. nspawn failed with: "Failed to register fds in epoll: Operation not permitted". If stdout does not support epoll, assume it's always writable.
2013-01-18nspawn: add audit caps to default set to keepLennart Poettering
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
2013-01-11nspawn: add --versionZbigniew Jędrzejewski-Szmek
2012-12-22nspawn: try to orderly shutdown container when receiving SIGTERMLennart Poettering
2012-12-22nspawn: allow passing socket activation fds through nspawnLennart Poettering
2012-12-22nspawn: allow nspawn to be invoked without ttyLennart Poettering
This allows invoking nspawn containers as systemd services, to create a minimal, light-weight OS container solution for servers.
2012-11-22nspawn: reset supplementary and main group id before entering nspawnLennart Poettering
2012-10-02nspawn: use automatic cleanup and provide debug infoZbigniew Jędrzejewski-Szmek
The documentation for --link-journal is also reworded.
2012-09-24log: fix repeated invocation of vsnprintf()/vaprintf() in log_struct()Lennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=55213
2012-09-21nspawn: document why we don't check resolv.conf mount errorsLennart Poettering
2012-09-21nspawn: we can't overmount /etc/localtime anymore since it's usually a ↵Lennart Poettering
symlink now Create the right symlink if possible for /etc/localtime
2012-09-16nspawn: fix memleak introduced with automatic cleanupZbigniew Jędrzejewski-Szmek
6b2d0e8 introduced a memleak instead of fixing one. Fix both.
2012-09-16nspawn: use automatic cleanup for umaskZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: _cleanup_free_ moreZbigniew Jędrzejewski-Szmek
2012-09-16nspawn: use automatic cleanupZbigniew Jędrzejewski-Szmek
This one actually clears up a (totally harmless) memleak.
2012-09-16nspawn: mount tmpfs on /dev/shmZbigniew Jędrzejewski-Szmek
Most things seem to function fine without /dev/shm, but it is expected to be there (quoting linux/Documentation/filesystems/tmpfs.txt: glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX shared memory (shm_open, shm_unlink)). Since /tmp/ is already mounted as tmpfs, it would be enough to mkdir /tmp/shm and chmod it. Mounting it separately has the advantage that it can be easily remounted to change the quota.
2012-09-05nspawn: handle poweroff/reboot nicely in containersLennart Poettering
2012-09-05nspawn: don't provide /dev/rtc0 in the containerLennart Poettering
Since RTCs are hardware devices and are very much shared resources we should avoid to provide them in each container.
2012-09-05nspawn: generate a new randomized boot ID for each containerLennart Poettering
2012-09-05nspawn: if a file system comes pre-mounted, still do the read-only remountsLennart Poettering
2012-09-04nspawn: skip mounts if already mountedLennart Poettering
2012-09-04nspawn: mount a clean instance of sysfsLennart Poettering
2012-08-21nspawn: add /dev FD symlinks in container setupDave Reisner
This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and /dev/core as symlinks to /proc on container creation. Except for /dev/core, these are needed for shells like bash to be fully functional.
2012-08-13nspawn,namespaces: make sure we recursively bind mount things inLennart Poettering
We want to make sure that everything from the host is also visible in the sandbox.
2012-08-13nspawn: unset a few unnecessary params to mount()Lennart Poettering
2012-08-13nspawn: inherit mounts from real root, don't propagate mounts to real rootLennart Poettering
2012-07-26log.h: new log_oom() -> int -ENOMEM, use itShawn Landden
also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera
2012-07-25use "Out of memory." consistantly (or with "\n")Shawn Landden
glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id
2012-07-19nspawn: generate proper error messages in the childLennart Poettering
2012-07-19nspawn: introduce new --link-journal= switch to link container journals into ↵Lennart Poettering
host
2012-07-16unit: introduce %s specifier for the user shellLennart Poettering
2012-06-28nspawn: introduce new --capabilities= flag and make use of it in the nspawn ↵Lennart Poettering
test case
2012-05-31mkdir: append _label to all mkdir() calls that explicitly set the selinux ↵Kay Sievers
context
2012-05-24main: add configuration option to alter capability bounding set for PID 1Lennart Poettering
This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway.