First, we're doing this so long a there is any cgroup config item -
even if no devices ones.  Then if devices is not available we fail.
This was leading to Rob E's mysterious startup failures.

Secondly, we're not even using this info.  The user was removed
awhile back.
Signed-off-by: Serge Hallyn <serge@hallyn.com>

Fix typo found by lintian

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-debian: fix regression when creating wheezy containers

The regression was introduced by commit
3c39b0b7 which makes it possible to
create working stretch containers by forcinig `init` to be in the
included package list.

However, `init` didn't exit before jessie, so now for wheezy we
explicitly include `sysvinit`; sysvinit on wheezy is essential,
so it would already be included anyway.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Include all lxcmntent.h function declarations on Bionic

Newer versions of Android (5.0+, aka API Level 21+) include mntent.h,
which declares setmntent and endmntent. This hits an edge
case with the preprocessor checks in lxcmntent.h because HAVE_SETMNTENT
and HAVE_ENDMNTENT are both defined (in Bionic's mntent.h), but conf.c
always includes lxcmntent.h on Bionic! As a result, we get compiler
warnings of implicit function declarations for setmntent endmntent.

This patch always includes setmntent/endmntent/hasmntopt function
declarations on Bionic, which gets rid of these warnings.
Signed-off-by: Preetam D'Souza <preetamjdsouza@gmail.com>

c/r: use criu's "full" mode for cgroups

A while ago cgroup modes were introduced to CRIU, which slightly changed
the behavior w.r.t. cgroups under the hood. What we're really after is
criu's --full mode, i.e. even if a particular cgroup directory exists
(in particular /lxc/$container[-$number] will, since we create it), we
should restore perms on that cgroup.

Things worked just fine for actual properties (except "special" properties
as criu refers to them, which I've just sent a patch for) because liblxc
creates no subdirectories, just the TLD.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

copied from lxc-ubuntu.in
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Acked-by: Serge Hallyn <serge@hallyn.com>

copied from lxc-ubuntu.in
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Acked-by: Serge Hallyn <serge@hallyn.com>

The profile already contains
  mount options=(rw, make-slave) -> **,

Which allows going through all mountpoints with make-slave,
so it seems to make sense to also allow the directly
recursive variant with "make-rslave".
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

More apparmor tweaks

Properly list all of the states and the right apparmor stanza for them,
then comment them all as actually enabling this would currently let the
user bypass apparmor entirely.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Force lxc-instance to behave like a good Upstart client

Remove unnecessary shell wrap around job start.
Force foreground execution to allow job monitoring and control.

Signed-off-by Andrey Repin <anrdaemon@yandex.ru>

apparmor: Allow bind-mounts and {r}shared/{r}private

Bind-mounts aren't harmful in containers, so long as they're not used to
bypass MAC policies.

This change allows bind-mounting of any path which isn't a dangerous
filesystem that's otherwise blocked by apparmor.

This also allows switching paths {r}shared or {r}private.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

plamo: Improve Plamo template

* configure to start only the minimum of service
* add ntp, kmod to ignore packages
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

lxc-debian: make sure init is installed

init 1.34 is not "Essential" anymore, in order to make it not required
on minimal chroots, docker containers, etc. Because of that we now need
to manually include it on systems that are expected to boot.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

lxc-debian: allow to specify a binfmt interpreter

If you specify an interpreter path with "-I" or "--interpreter-path",
the architecture of the debian container can differ from the one of
the host.

Before creating the container, binfmt must be configured on the host:
the script checks the name of the interpreter in /proc/sys/fs/binfmt_misc/
to know where to install it in the container.

To create a MIPS container on an x86_64 host:

$ cat /proc/sys/fs/binfmt_misc/qemu-mips
enabled
interpreter //qemu-mips
flags: OC
offset 0
magic 7f454c4601020100000000000000000000020008
mask ffffffffffffff00fffffffffffffffffffeffff

$ sudo lxc-create -n virtmips-stretch -t debian -- \
                 --arch=mips \
                 --interpreter-path=./mips-linux-user/qemu-mips \
                 --mirror=http://ftp.debian.org/debian \
                 --release=stretch
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

Unable to login via console in OL7.2

There is container-getty.service with OL7.2 systemd, it
is also used for managing the getty service, use that
instead and not manually create it.
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>

Drop lxc-devsetup as unneeded by current autodev

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

python-lxc: follow global rpath setting for autotools builds

When LXC is configured with --enable-rpath, I expect Python bindings
to be able to find the library in a non-standard location, just like
LXC command-line tools.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>

Move apt-transport-https to global packages_template

In many environments the preference is to configure containers with
apt mirrors that are SSL-secured.

When building containers using the download template this can't be
done unless an insecure mirror is first used to install the
apt-transport-https package, then the sources reconfigured to
use the https URL.

When building containers without using the download template this
can't be done unless the container creator specifically includes
this package in the package list at build time. It seems more
intuitive to me to have the package installed by default.

Commit 396f75ab added the package
to the minbase variant, but this variant is not used by the download
template build process. The build process instead specifies no
variant, so this patch moves the package from the packages_template
package list in the minbase variant to the global packages_template
package list, ensuring that this package is included in all Ubuntu
build images that use the lxc-ubuntu template.
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>

start containers in foreground when using the lxc@.service

lxc-start started to default to daemonize the container when starting
this conflicts with type=simple of the systemd unit

call lxc-start with -F and thus force execution in foreground
that way we can feed the log to journald properly and keep type=simple

Debian-Bug: https://bugs.debian.org/826100Signed-off-by: Evgeni Golov <evgeni@golov.de>

python-lxc: fix breakage caused by the switch to setuptools

To keep source directory clean.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>

This implies '--single-version-externally-managed', which we
actually want for autotools builds.

Fixes current problems with jenkins test suite.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>

python-lxc: use setuptools instead of distutils