systemd services like logind and journald need CAP_SETFCAP CAP_SETPCAP

use `hostname` for DHCP_HOSTNAME in ifcfg-eth0

Updated centos/fedora/oracle templates to use `hostname` for DHCP_HOSTNAME in
/etc/sysconfig/network/ifcfg-eth0, so the container's host name is propagated
to the host's DHCP server (e.g. dnsmasq, which also acts as the DNS server).
This resolves lxc/lxd#756
Signed-off-by: Lenz Grimmer <lenz@grimmer.com>

Adopt capability (lxc.cap.drop) documentation from other distros in Gentoo config, drop setpcap and sys_nice

Documents setpcap,sys_admin,sys_resources as breaking systemd, but does not drop them from lxc.cap.drop, as the default init system on Gentoo is OpenRC, thus stuff breaking systemd can be blocked anyway.

This also drops setpcap and sys_nice caps, as these are also dropped in other non-systemd distros.

Most of the explanatory blurb was copied from other distros' configs.

See-Also: https://bugs.gentoo.org/show_bug.cgi?id=551792Signed-Off-By: Dennis Schridde <devurandom@gmx.net>

When starting a daemonized container, only the original parent
thread should return to the caller.  The first forked child
immediately exits after forking, but the grandparent child
was in some places returning on error - causing a second instance
of the calling function.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>

Translate untranslated section titles in Japanese man pages

Added container-cache option to templates

Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>

This change adds in the container-cache option within the mainline
default lxc templates. The pupose here is to allow a template to
pull from a location that may not be `@LOCALSTATEDIR@/cache/lxc`
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

Fix creation of dev/mqueue and dev/shm on Gentoo

The dev/mqueue and dev/shm directories do not exist when using lxc.autodev, thus they have to be created upon mount.
Signed-off-by: Dennis Schridde <devurandom@gmx.net>

Update lxc-oracle.in fix a bug

In various places throughout the code, we want to "nullify" the std fds,
opening them to /dev/null or zero or so. Instead, let's unify this code and do
it in such a way that Coverity (probably) won't complain.

v2: use /dev/null for stdin as well
v3: add a comment about use of C's short circuiting
v4: axe comment, check errors on dup2, s/quiet/need_null_stdfds

Reported-by: Coverity
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Reported-by: Coverity
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We're leaking the FILE* here while closing the underlying fd; let's just
close the file and thus close both.

Reported-by: Coverity
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

fix build on mpc85xx

Initialize ret to 0 so compiler no longer complains about
monitor.c: In function 'lxc_monitor_open':
monitor.c:212:5: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]

https://github.com/openwrt/packages/issues/1356Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Instead of re-defining MS_ options all over the place, just revert the
last change to bdev.h so we have all the defines in there again.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Commit 37cf711b added a destroy hook, but when it checks
at destroy time whether that hook exists, it assumes that
c->lxc_conf is good.  In fact lxc_conf can be NULL, so check
for that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

We use the right path when actually execing criu to checkpoint and restore, but
when checking versions we didn't. Let's use the right path.
Reported-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

and don't use it if not. This fixes failure to build with older
cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

commit 507cee36 moved the close and re-open of fds 0-2 into
do_start.  But this means that the lxc monitor itself keeps the
caller's fds 0-2 open, which is wrong for daemonized containers.

Closes #548
Reported-by: Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

We were using 'all' controller if current was in all the
same cgroup.  That doesn't suffice.  We'd have to check
the target.  At that point we may as well just attach
controller by controller.

An optimization to consider is to check the /proc/initpid/cgroup
for all identical controllers.  Let's start by just getting it
right.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 37cf711bSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

When restoring, we didn't clean up the pidfile that criu uses to pass us the
init pid on error or success; let's do that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Until we bump the SONAME to liblxc2, only symbol additions and struct
member additions are allowed.

Adding struct members in the middle of the struct breaks backward
compatibility.

This commit makes it clear when struct members were added and moves a
few members that were added in the middle of the 1.0 struct to the end
of it.

Note that unfortunately that means we're breaking backward compatibility
between LXC 1.1.0 and the state after this commit, given 1.1 is
reasonably new, this is the least damaging way of fixing the problem.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Current aufs supports FS_USERNS_MOUNT by using allow_userns module
parameter. It allows root in userns to mount aufs.

This patch allows an unprivileged container to use aufs. The value of
xino option is changed to /dev/shm/aufs.xino that an unpriv user can
write.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

(I erred in the first patch, causing every lxc-attach to unmount the
container-'s /proc)

Since we now use mount_proc_if_needed() from attach, as opposed to only
from start, we cannot assume we are pid 1.  So fix the check for whether
to mount a new proc.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

To set lsm labels, a namespace-local proc mount is needed.

If a container does not have a lxc.mount.auto = proc set, then
tasks in the container do not have a correct /proc mount until
init feels like doing the mount.  At startup we handlie this
by mounting a temporary /proc if needed.  We weren't doing this
at attach, though, so that

lxc-start -n $container
lxc-wait -t 5 -s RUNNING -n $container
lxc-attach -n $container -- uname -a

could in a racy way fail with something like

lxc-attach: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to change apparmor profile to lxc-container-default

Thanks to Chris Townsend for finding this bug at
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1452451Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

On certain systems, some binaries needed by the container features (dropbear,
openssh), may be placed in non-standard (aka non-distribution-managed
locations), such as /usr/local/*, /opt/local/*, etc. Don't copy the respective
binaries in the container and return a clear error why.

The user should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.

v2:
- check that binary paths adhere to /{,usr/}{,s}bin only
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Currently, when installing OpenSSH in a Busybox container, the template searches
for all the OpenSSH client binaries available in the Debian distro package. The
included tools might differ from distro to distro, so make part of the tools
optional. The mandatory tools, without which installing OpenSSH fails, are
"sshd" for the server and "ssh" and "scp" for the client.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Update for commit c15ea607Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>