Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

autotools: support -z relro and -z now

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: add lxc_setup_keyring()

Allocate a new keyring if we can to prevent information leak.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

oci-template: Add logic for no /etc/passwd, group

OCI image spec dosen't specify action when there is
no /etc/passwd or /etc/group. So if there is no
/etc/passwd with string user info, set uid to 0. If there
is no /etc/group with string group info, set gid to 0.

Signed-off-by: Jungsub Shin jungsub_shin@tmax.co.kr

btrfs: fix btrfs containers

Closes #2612.
Closes #2655.

Fixes: 9de31d5a ("tree-wide: s/strncpy()/strlcpy()/g")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

template: oci template supports for char user info

oci template changes character user info to uid, gid
according to OCI image spec.

Signed-off-by: Jungsub Shin jungsub_shin@tmax.co.kr

cgroups: tweaks

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: implement monitor cgroup deletion

tree-wide: fix includes to fix bionic builds

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

netns_ifaddrs: fix missing include

doc: Add -u and -g args to Japanese lxc-attach(1) and lxc-execute(1)

Update for commit ddd51fdb and 08401048Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: add __hot attribute

compiler: fix __noreturn on bionic

This instructs the compiler to better optimize the config parsing code.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The same way we need to ensure that no existing cgroups are reused for
the payload in cgfsng_payload_create() we need to ensure that no
existing cgroups are reused for the monitor. Technially this is less of
an issue since there currently is no logic for the monitor to apply
limits to its cgroup but it is still the proper way to do it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Since we switched to the new cgroup scoping scheme that places the
container payload into lxc.payload/<container-name> and
lxc.monitor/<container-name> deletion becomes slightly more complicated.
The monitor will be able to rm_rf(lxc.payload/<container-name>) but will
not be able to rm_rf(lxc.monitor/<container-name>) since it will be
located in that cgroup and it will thus be populated.
My current solution to this is to create a lxc.pivot cgroup that only
exists so that the monitor process on container stop can pivot into it,
call rm_rf(lxc.monitor/<container-name>) and can then exit. This group
has not function whatsoever apart from this and can thus be shared by
all monitor processes.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

apparmor: account for specified rootfs path (closes #2617)

cgfsng: set errno to ENOENT on get_hierarchy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

stop: Only freeze if freezer is available

Closes #2644
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>