summaryrefslogtreecommitdiff
path: root/src/nspawn
Commit message (Collapse)AuthorAgeFilesLines
* nspawn: fix HAVE_SELINUX ifdefTom Gundersen2014-02-061-2/+2
|
* nspawn: add --quiet switch for turning off any output noiseLennart Poettering2014-02-061-7/+21
|
* nspawn: always use default busLennart Poettering2014-02-051-1/+1
|
* nspawn: various fixes in selinux hookupLennart Poettering2014-02-041-23/+23
| | | | | | | | | | | | | | | - As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string
* Add SELinux support to systemd-nspawnDan Walsh2014-02-041-21/+61
| | | | | | | | | | | | | | | | | This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
* bus: update kdbus.h (ABI break)Kay Sievers2014-02-011-6/+6
|
* nspawn: fix reboot event fd reuseLennart Poettering2014-01-291-6/+6
|
* exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering2014-01-201-23/+11
| | | | | | Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
* nspawn: do not invoke RegisterMachine on machined from inside the new PID ↵Lennart Poettering2014-01-091-8/+24
| | | | | | | | | | namespace On kdbus user credentials are not translated across PID namespaces, but simply invalidated if sender and receiver namespaces don't match. This makes it impossible to properly authenticate requests from different PID namespaces (which is probably a good thing). Hence, register the machine in the parent and not the client and properly synchronize this.
* DEFAULT_PATH_SPLIT_USR macroShawn Landden2013-12-201-1/+1
|
* nspawn: add new --setenv= switch to set an environment variable for the ↵Lennart Poettering2013-12-131-7/+44
| | | | container to spawn
* nspawn: complain and continue if machine has same idZbigniew Jędrzejewski-Szmek2013-12-111-4/+19
| | | | | | | | | | | | If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
* bus: connect directly via kdbus in sd_bus_open_system_container()Lennart Poettering2013-12-121-1/+3
| | | | | kdbus fortunately exposes the container's busses in the host fs, hence we can access it directly instead of doing the namespacing dance.
* Get rid of our reimplementation of basenameZbigniew Jędrzejewski-Szmek2013-12-061-1/+1
| | | | | | The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
* nspawn: fix buggy mount_binds, now works for bind-mounted filesShawn Landden2013-12-061-20/+27
|
* nspawn: set up a kdbus namespace when starting a containerLennart Poettering2013-11-301-1/+32
|
* nspawn: improve error message when we cannot resolve the root directory argumentLennart Poettering2013-11-261-1/+1
|
* nspawn: add new --drop-capability= switchLennart Poettering2013-11-201-2/+10
|
* bus: introduce concept of a default bus for each thread and make use of it ↵Lennart Poettering2013-11-121-1/+1
| | | | | | | | everywhere We want to emphasize bus connections as per-thread communication primitives, hence introduce a concept of a per-thread default bus, and make use of it everywhere.
* bus: log message parsing errors everywhere with a generalized ↵Lennart Poettering2013-11-071-4/+2
| | | | bus_log_parse_error()
* clients: unify how we invoke getopt_long()Lennart Poettering2013-11-061-5/+3
| | | | | Among other things this makes sure we always expose a --version command and show it in the help texts.
* nspawn: explicitly terminate machines when we exit nspawnLennart Poettering2013-11-061-7/+62
| | | | | https://bugs.freedesktop.org/show_bug.cgi?id=68370 https://bugzilla.redhat.com/show_bug.cgi?id=988883
* nspawn: log out of memory errorsDjalal Harouni2013-11-051-2/+5
|
* machinectl: add new command to spawn a getty inside a containerLennart Poettering2013-10-311-66/+19
|
* nspawn: split out pty forwaring logic into ptyfwd.cLennart Poettering2013-10-311-243/+2
|
* nspawn: only pass in slice setting if it is setLennart Poettering2013-10-301-1/+1
|
* timedated: use libsystemd-bus instead of libdbus for bus communicationLennart Poettering2013-10-161-3/+2
| | | | | | | | | | | | | | | Among other things this also adds a few things necessary for the change: - Considerably more powerful error returning APIs in libsystemd-bus - Adapter for connecting an sd_bus to an sd_event - As I reworked the PolicyKit logic to the new library I also made it asynchronous, so that PolicyKit requests of one user cannot block out another user anymore. - We always use the macro names for common bus error. That way it is harder to mistype them since the compiler will notice
* Introduce _cleanup_fdset_free_Zbigniew Jędrzejewski-Szmek2013-10-131-3/+1
|
* nspawn: always copy /etc/resolv.conf rather than bind mountLennart Poettering2013-10-021-11/+1
| | | | | | | | We were already creating the file if it was missing, and this way containers can reconfigure the file without running into problems. This also makes resolv.conf handling more alike to handling of /etc/localtime, which is also not a bind mount.
* fix grammatical errorDave Reisner2013-09-191-1/+1
|
* nspawn: be less liberal about creating bind mount destinationsDave Reisner2013-09-191-1/+28
| | | | | | | | | | Previously, if a file's bind mount destination didn't exist, nspawn would blindly create a directory, and the subsequent bind mount would fail. Examine the filetype of the source and ensure that, if the destination does not exist, that it is created appropriately. Also go one step further and ensure that the filetypes of the source and destination match.
* nspawn: trivial simplificationZbigniew Jędrzejewski-Szmek2013-08-231-1/+1
|
* nspawn: Reorder includes to fix compilationJesper Larsen2013-07-191-1/+1
| | | | | | | | | | Commit 2e996f4d4b642c5682c608c9692ad2ffae398ab2 added an include of linux/netlink.h This kernel header is not self contained in the linux 2.6 kernel which breaks compilation with an unknown type sa_family_t A workaround is to include linux/netlink.h after sys/socket.h
* nspawn: use the corect method signature for CreateMachine()Lennart Poettering2013-07-021-4/+4
|
* machined: split out machine registration stuff from logindLennart Poettering2013-07-021-3/+3
| | | | | | | Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
* nspawn: '-C' option has been removedZbigniew Jędrzejewski-Szmek2013-06-201-1/+1
| | | | | Fixup for 9444b1f "logind: add infrastructure to keep track of machines, and move to slices."
* logind: add infrastructure to keep track of machines, and move to slicesLennart Poettering2013-06-201-113/+58
| | | | | | | | | | | | | | | | | | | | - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
* nspawn: only warn about audit when booting the containerDave Reisner2013-05-101-1/+1
| | | | | The audit subsystem isn't relevant when nspawn is only being used as a chroot.
* nspawn: Include netlink headers rather than using #ifdefColin Walters2013-05-091-2/+1
| | | | | | This is a better fix than e13e1fad8b231e187bd5de3ce668411bdcd3ac1a for failing to compile without audit that 77b6e19458f37cfde127ec6aa9494c0ac45ad890 introduced.
* Fix previous commit for !HAVE_AUDITColin Walters2013-05-091-1/+2
|
* audit: since audit is apparently never going to be fixed for containers tell ↵Lennart Poettering2013-05-101-0/+19
| | | | | | | | | the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
* hostname: only suppress setting of pretty hostname if it is non-equal to the ↵Lennart Poettering2013-05-071-1/+1
| | | | | | static hostname and if the static hostname is set, too https://bugzilla.redhat.com/show_bug.cgi?id=957814
* build-sys: support builds without EAs againLennart Poettering2013-05-071-3/+8
|
* nspawn: explain that we look for /etc/os-release in the container directoryLennart Poettering2013-05-061-1/+1
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=64014
* nspawn: inherit the exit status of containerDave Reisner2013-05-021-1/+1
| | | | | If we get as far as successfully starting the container, nspawn should inherit the exit status of the child container process as its own.
* cgls: add --machine/-MZbigniew Jędrzejewski-Szmek2013-05-011-20/+2
| | | | | cg_get_machine_path is modified to include the escaped machine name + ".nspawn" if the machine argument is nonnull.
* units: add an easy-to-use unit template file systemd-nspawn@.service for ↵Lennart Poettering2013-04-301-6/+12
| | | | running containers as system services
* id128: when taking user input for a 128bit ID, validate syntaxLennart Poettering2013-04-301-0/+5
| | | | Also, always accept both our simple hexdump syntax and UUID syntax.
* nspawn: add -M option to optstringEvangelos Foutras2013-04-291-1/+1
| | | | | This was missed in commit 7027ff61a34a12487712b382a061c654acc3a679 and means that the --machine option would work but not its shorthand, -M.
* cgroup: make sure all our cgroup objects have a suffix and are properly escapedLennart Poettering2013-04-221-3/+15
| | | | | | | | | | | | | | Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.
View Lorry Controller Status