- already found /etc/localtime
- duplicate creation /etc/resolv.conf
Signed-off-by: otofune <otofune@gmail.com>

lxc-checkconfig: verify new[ug]idmap are setuid-root

Signed-off-by: Serge Hallyn <serge@hallyn.com>

lxc-alpine: few modifications

Some mirrors from the mirrors list are not very reliable and it seems
that no one really wants to use some random mirror as the default
option.
Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>

Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>

Patch from Harald Dunkel + tweak

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Harald Dunkel <harald.dunkel@aixigo.de>

lxc-user-nic: improvements

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Before this commit, lxc-user-nic could potentially have been tricked into
operating on a network namespace over which the caller did not hold privilege.

This commit ensures that the caller is privileged over the network namespace by
temporarily dropping privilege.

Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: set SCMP_FLTATR_ATL_TSKIP if available

Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80
Signed-off-by: Serge Hallyn <serge@hallyn.com>

cgfsng: make trim() safer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: fix lxc_unix_epoch_to_utc()

The conversion algorithm used uses a clever trick by letting a year start at 1
March. So we need to add 1 for January and February.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: dumb down SIGCHLD from WARN() to NOTICE()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

debian template: Allow to embed a SSH public key in the new container

squeeze is not a supported release anymore, drop the key

Signed-off-by: Evgeni Golov <evgeni@debian.org>

Fix issue with the clonehostname hook not working for overlayfs snapshot clones

Previously this hook did not work when cloning containers using an overlayfs snapshot as the LXC_ROOTFS_PATH didn't point to the actual filesystem that the container would see. LXC_ROOTFS_MOUNT should be used instead and in fact lxc.container.conf man page says that you usually would want to use the _MOUNT variant.
Signed-off-by: Matt Keeler <mjkeeler7@gmail.com>

c/r: only supply --ext-mount-map for bind mounts

lxc-download: Bump compat level to 4

For templates introduced after LXC 2.0 was released.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Various fixes for Fedora bootstrapping on non-Fedora hosts

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>

- Make sure mirror URL is queried for $FEDORA_RELEASE_DEFAULT
- Fix image path for URLs queried via mirror list
Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>

Signed-off-by: Reto Gantenbein <reto.gantenbein@linuxmonk.ch>

sabayon: Use /bin/bash

The script is full of bashisms making it break when run with a simple
POSIX shell.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Complete rework of lxc-fedora template

The rest of the mounts can be restored normally.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>