Align with upstream libseccomp.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: cleanup attach functions

Specifically, refloat function arguments and remove useless comments.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: do not reload container

Let lxc_attach() reuse the already initialized container.

Closes https://github.com/lxc/lxd/issues/5755.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: Fixes bug that stopped down hook from running for phys netdevs

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

network: move phys netdevs back to monitor's net ns rather than pid 1's

Updates lxc_restore_phys_nics_to_netns() to move phys netdevs back to the monitor's network namespace rather than the previously hardcoded PID 1 net ns.

This is to fix instances where LXC is started inside a net ns different from PID 1 and physical devices are moved back to a different net ns when the container is shutdown than the net ns than where the container was started from.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

configure: handle checks when cross-compiling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Use %m instead of strerror() when available

Suppressed error prone semicolon in SYSTRACE() macro.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Use %m under HAVE_M_FORMAT instead of strerror()
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

initutils: Fix memleak on realloc failure

Fix returning -1 in functions with return type bool

Config: check for %m availability

GLIBC supports %m to avoid calling strerror(). Using it saves some code space.
==> This check will define HAVE_M_FORMAT to be use wherever possible (e.g. log.h)
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Returning -1 in a function with return type bool is the same as
returning true. Change to return false to indicate error properly.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Returning -1 in a function with return type bool is the same as
returning true. Change to return false to indicate error properly.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Since _exit() will terminate, the return statement is dead code. Also,
returning -1 from a function with bool as return type is confusing.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

criu: Use -v4 instead of -vvvvvv

CRIU has only 4 levels of verbosity (errors, warnings, info, debug).
Thus, using `-v4` is more appropriate.

https://criu.org/LoggingSigned-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

New --bbpath option and unecessary --rootfs checks

As suggested during the review.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

lxccontainer: do not display if missing privileges

lxc-ls without root privileges on privileged containers should not display
information. In lxc_container_new(), ongoing_create()'s result is not checked
for all possible returned values. Hence, an unprivileged user can send command
messages to the container's monitor. For example:

$ lxc-ls -P /.../tests -f
NAME     STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
ctr -     0         -      -    -    false
$ sudo lxc-ls -P /.../tests -f
NAME     STATE   AUTOSTART GROUPS IPV4      IPV6 UNPRIVILEGED
ctr RUNNING 0         -      10.0.3.51 -    false

After this change:

$ lxc-ls -P /.../tests -f      <-------- No more display without root privileges
$ sudo lxc-ls -P /.../tests -f
NAME     STATE   AUTOSTART GROUPS IPV4      IPV6 UNPRIVILEGED
ctr RUNNING 0         -      10.0.3.37 -    false
$
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

. Add the "--bbpath" option to pass an alternate busybox pathname instead of the one found from ${PATH}.
. Take this opportunity to add some formatting in the usage display
. As a try is done to pick rootfs from the config file and set it to ${path}/rootfs, it is unnecessary to make it mandatory
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

coding style: update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: Adds mtu support for phys and macvlan types

Redirect error messages to stderr

Some error messages were not redirected to stderr.
Moreover, do "exit 0" instead of "exit 1" when "help" option is passed.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

start: use CLONE_PIDFD

Use CLONE_PIDFD when possible.

Note the clone() syscall ignores unknown flags which is usually a design
mistake. However, for us this bug is a feature since we can just pass the flag
along and see whether the kernel has given us a pidfd.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This will allow LXD to check for custom MTU support for phys and macvlan devices.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

The phys devices will now have their original MTUs recorded at start and restored at shutdown.

This is to protect the original phys device from having any container level MTU customisation being applied to the device once it is restored to the host.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>