doc: document console behavior Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

document lxc.rootfs.backend Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfs: do not automount if cgroup namespaces are supported In that case containers will be able to mount cgroup filesystems for themselves as they do on a host. This fixes inability to start systemd based containers on cgns-enabled kernels with cgmanager not running. I've tested debian jessie, busybox, ubuntu trusty and xenial, all of which booted ok. However if there are some setups which require premounted cgroupfs (i.e. they don't mount if they detect being in a container), this may cause trouble. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc.container.conf / apparmor : document cgns profile Also document 'unchanged' which we had never documented before. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

increase /dev size to 500k ( issue #781) Signed-off-by: Min Wang <mingewang@gmail.com>

update overlayfs and aufs in lxc.container.conf Explain that multiple /lower layers can be used. Signed-off-by: Christian Brauner <christian.brauner@mailbox.org> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Document network clear option Should be mentioned separately because it will reset a big group of options. Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Document clear behaviour of list options More general for all list options. Seems to currently affect: lxc.network (clear all NICs) lxc.network.* (clear current NIC) lxc.cap.drop lxc.cap.keep lxc.cgroup lxc.mount.entry lxc.mount.auto lxc.hook lxc.id_map lxc.group lxc.environment Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

add LXC_CGNS_AWARE env variable for mount hooks This way the lxcfs mount hook can know whether lxc knows about cgroup namespaces. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

doc: Add LXC_SRC_NAME to lxc.container.conf(5) only add to English and Japanese docs. Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Documenting valueless lxc.cap.drop behaviour From b24b0e16848fbb93402a08efa3950cd59272b8da Mon Sep 17 00:00:00 2001 From: Marko Hauptvogel <marko.hauptvogel@googlemail.com> Date: Sun, 3 Jan 2016 23:07:19 +0100 Subject: [PATCH] Documenting valueless lxc.cap.drop behaviour Undocummented behaviour since 7d0eb87. Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

doc: lxc.monitor.unshare requires CAP_SYS_ADMIN Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Added lxc.monitor.unshare If manual mounting with elevated permissions is required this can currently only be done in pre-start hooks or before starting LXC. In both cases the mounts would appear in the host's namespace. With this flag the namespace is unshared before the startup sequence, so that mounts performed in the pre-start hook don't show up on the host. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Export LXC_TARGET env variable in stop hook Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

document the stop hook Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Add lxc.ephemeral to lxc.container.conf manpage Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

CVE-2015-1335: Protect container mounts against symlinks When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. Details: Define safe_mount which ensures that the container has not inserted any symbolic links into any mount targets for mounts to be done during container setup. The host's mount path may contain symbolic links. As it is under the control of the administrator, that's ok. So safe_mount begins the check for symbolic links after the rootfs->mount, by opening that directory. It opens each directory along the path using openat() relative to the parent directory using O_NOFOLLOW. When the target is reached, it mounts onto /proc/self/fd/<targetfd>. Use safe_mount() in mount_entry(), when mounting container proc, and when needed. In particular, safe_mount() need not be used in any case where: 1. the mount is done in the container's namespace 2. the mount is for the container's rootfs 3. the mount is relative to a tmpfs or proc/sysfs which we have just safe_mount()ed ourselves Since we were using proc/net as a temporary placeholder for /proc/sys/net during container startup, and proc/net is a symbolic link, use proc/tty instead. Update the lxc.container.conf manpage with details about the new restrictions. Finally, add a testcase to test some symbolic link possibilities. Reported-by: Roman Fiedler Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update english docs for new lxc.init_uid and lxc.init_gid options Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>

Add doc for optional, create=dir and create=file in lxc.container.conf man Signed-off-by: Nicolas Cornu <ncornu@aldebaran.com>

doc: add 'macvlan' 'passthru' mode This patch also reword the macvlan section which was hard to read. Signed-off-by: Eric Leblond <eric@regit.org>

config : add lxc.hook.destroy option Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>

document lxc.rebootsignal Also fix some minor indentation mishaps since we're here. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Use consistent /proc, /sys and /sys/fs/cgroup (v2) - Implements mixed mode for /sys where it's mounted read-only but with /sys/devices/virtual/net/ writable. - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all templates. - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup. - Get rid of the fstab file by default, using lxc.mount.entry instead. - Set sys:mixed as the default for "sys". sys:mixed is slightly more permissive than sys:ro so this shouldn't be a problem. The read-only bind mount of /sys on top of itself is there so that mountall and other init systems don't attempt to remount /sys read-write. v2 changes: - Fix the mount list, don't specify a source for the remount. - Update the documentation. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Set kmsg to 0 by default It's now been proven over and over again that the symlink from /dev/kmsg to /dev/console is harmful for everything but upstart systems. As Ubuntu is now switching over to systemd too, lets switch the default. Upstart users wishing to see boot messages can always set lxc.kmsg = 1 manually in their config (so long as they don't expect to then dist-upgrade the container to systemd succesfuly). Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Turn autodev on by default Now that autodev works fine with unprivileged containers and shouldn't come with any side effect, lets turn it on by default. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

doc: clarify the description of the veth network type in the manpage. Signed-off-by: Michael Adam <obnox@samba.org> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Define a new lxc.init_cmd config option Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com>

tabs/spaces consistency Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

document the new lxc.aa_allow_incomplete flag Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

pivot_root: switch to a new mechanism (v2) This idea came from Andy Lutomirski. Instead of using a temporary directory for the pivot_root put-old, use "." both for new-root and old-root. Then fchdir into the old root temporarily in order to unmount the old-root, and finally chdir back into our '/'. Drop lxc.pivotdir from the lxc.container.conf manpage. Warn when we see a lxc.pivotdir entry (but keep it in the lxc.conf for now). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

add lxc.console.logpath v2: add get_config_item clear_config_item is not supported, as it isn't for lxc.console, bc you can do 'lxc.console.logfile =' to clear it. Likewise save_config is not needed because the config is now just written through the unexpanded char*. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

provide an example SELinux policy for older releases The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5 policy is an unconfined_domain(), so it doesn't really enforce anything. This change will provide a link in the documentation to an example policy that does confine containers. On more recent distributions with new enough policy, it is recommended not to use this sample policy, but to use the types already available on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie: process = "system_u:system_r:svirt_lxc_net_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Support providing env vars to container init It's quite useful to be able to configure containers by specifying environment variables, which init (or initscripts) can use to adjust the container's operation. This patch adds one new configuration parameter, `lxc.environment`, which can be specified zero or more times to define env vars to set in the container, like this: lxc.environment = APP_ENV=production lxc.environment = SYSLOG_SERVER=192.0.2.42 lxc.environment = SOMETHING_FUNNY=platypus Default operation is unchanged; if the user doesn't specify any lxc.environment parameters, the container environment will be what it is today ('container=lxc'). Signed-off-by: Matt Palmer <mpalmer@hezmatt.org> Acked-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

doc: Mention that veth.pair is ignored for unpriv veth.pair is ignore for unprivileged containers as allowing an unprivileged user to set a specific device name would allow them to trigger actions in tools like NetworkManager or other uevent based handlers that may react based on specific names or prefixes being used. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

allow lxc.cap.keep = none Commit 1fb86a7c introduced a way to drop capabilities without having to specify them all explicitly. Unfortunately, there is no way to drop them all, as just specifying an empty keep list, ie: lxc.cap.keep = clears the keep list, causing no capabilities to be dropped. This change allows a special value "none" to be given, which will clear all keep capabilities parsed up to this point. If the last parsed value is none, all capabilities will be dropped. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

lxc-autostart: rework boot and group handling This adds new functionality to lxc-autostart. *) The -g / --groups option is multiple cummulative entry. This may be mixed freely with the previous comma separated group list convention. Groups are processed in the order they first appear in the aggregated group list. *) The NULL group may be specified in the group list using either a leading comma, a trailing comma, or an embedded comma. *) Booting proceeds in order of the groups specified on the command line then ordered by lxc.start.order and name collalating sequence. *) Default host bootup is now specified as "-g onboot," meaning that first the "onboot" group is booted and then any remaining enabled containers in the NULL group are booted. *) Adds documentation to lxc-autostart for -g processing order and combinations. *) Parameterizes bootgroups, options, and shutdown delay in init scripts and services. *) Update the various init scripts to use lxc-autostart in a similar way. Reported-by: CDR <venefax@gmail.com> Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc.container.conf(5): update guidance for lxc.mount.entry mount target For years it has been best practice to use a relative path as the mount target. But the manpage hasn't reflect that. Fix it. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com>

lxc.container.conf: document the type: lxc.rootfs conventions Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com>

lxc.mount.auto: improve defaults for cgroup and cgroup-full If the user specifies cgroup or cgroup-full without a specifier (:ro, :rw or :mixed), this changes the behavior. Previously, these were simple aliases for the :mixed variants; now they depend on whether the container also has CAP_SYS_ADMIN; if it does they resolve to the :rw variants, if it doesn't to the :mixed variants (as before). If a container has CAP_SYS_ADMIN privileges, any filesystem can be remounted read-write from within, so initially mounting the cgroup filesystems partially read-only as a default creates a false sense of security. It is better to default to full read-write mounts to show the administrator what keeping CAP_SYS_ADMIN entails. If an administrator really wants both CAP_SYS_ADMIN and the :mixed variant of cgroup or cgroup-full automatic mounts, they can still specify that explicitly; this commit just changes the default without specifier. Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfs: don't mount /sys/fs/cgroup readonly Ubuntu containers have had trouble with automatic cgroup mounting that was not read-write (i.e. lxc.mount.auto = cgroup{,-full}:{ro,mixed}) in containers without CAP_SYS_ADMIN. Ubuntu's mountall program reads /lib/init/fstab, which contains an entry for /sys/fs/cgroup. Since there is no ro option specified for that filesystem, mountall will try to remount it readwrite if it is already mounted. Without CAP_SYS_ADMIN, that fails and mountall will interrupt boot and wait for user input on whether to proceed anyway or to manually fix it, effectively hanging container bootup. This patch makes sure that /sys/fs/cgroup is always a readwrite tmpfs, but that the actual cgroup hierarchy paths (/sys/fs/cgroup/$subsystem) are readonly if :ro or :mixed is used. This still has the desired effect within the container (no cgroup escalation possible and programs get errors if they try to do so anyway), while keeping Ubuntu containers happy. Signed-off-by: Christian Seiler <christian@iwakd.de> Cc: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

doc: update for commit 69aa6655 Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

doc: Update lxc.container.conf(5) - Update Japanese man for commit a7c27357b33d726a326a11e1e72f68e1546b994a, seccomp v2 - Fix typo in English man Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

seccomp: extend manpage, and add examples Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Implement lxc.rootfs.options This introduces a new lxc.rootfs.options which lets you pass new mountflags/mountdata when mounting the root filesystem. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

doc: Try to clear some confusion about lxc.conf Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>