Update Japanese lxc.container.conf(5)

and:
* remove empty paragraph in English man
* untabify in Japanese man
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update for commit 14a7b0f9Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update for commit 61d7a733Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

start: reap intermediate process

When we inherit namespaces we need to reap the attaching process.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf.c: add relative option for lxc.mount.entry

Signed-off-by: Yifeng Tan <tanyifeng1@huawei.com>

lxc_init: fix cgroup parsing 

utils: use lxc_raw_clone() in run_command()

coverity: #1426132
coverity: #1426133
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1426131
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: fix race when open()/close() cmd socket

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This is based on raw_clone in systemd but adapted to our needs. The main reason
is that we need an implementation of fork()/clone() that does guarantee us that
no pthread_atfork() handlers are run. While clone() in glibc currently doesn't
run pthread_atfork() handlers we should be fine but there's no guarantee that
this won't be the case in the future. So let's do the syscall directly - or as
direct as we can. An additional nice feature is that we get fork() behavior,
i.e. lxc_raw_clone() returns 0 in the child and the child pid in the parent.

Our implementation tries to make sure that we cover all cases according to
kernel sources. Note that we are not interested in any arguments that could be
passed after the stack.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

add --share-$NS= support to lxc-execute

dir_detect: warn on eperm

criu: add feature check capability

When we report STOPPED to a caller and then close the command socket it is
technically possible - and I've seen this happen on the test builders - that a
container start() right after a wait() will receive ECONNREFUSED because it
called open() before we close(). So for all new state clients simply close the
command socket. This will inform all state clients that the container is
STOPPED and also prevents a race between a open()/close() on the command socket
causing a new process to get ECONNREFUSED because we haven't yet closed the
command socket.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This adds a simple test case which verifies that the new migrate() API
command 'MIGRATE_FEATURE_CHECK' works as expected.

If a feature does not exist on the currently running
architecture/kernel/criu combination it does not report an error as this
is a valid scenario.
Signed-off-by: Adrian Reber <areber@redhat.com>

For migration optimization features like pre-copy or post-copy migration
the support cannot be determined by simply looking at the CRIU version.
Features like that depend on the architecture/kernel/criu combination
and CRIU offers a feature checking interface to query if it is
supported.

This adds a LXC interface to query CRIU for those feature via the
migrate() API call. For the recent pre-copy migration support in LXD
this can be used to automatically detect if pre-copy migration should be
used.

In addition to the existing migrate() API commands this adds a new
command: 'MIGRATE_FEATURE_CHECK'.

The migrate_opts{} structure is extended by the member features_to_check
which is a bitmask defining which CRIU features should be queried.

Currently only the querying of the features FEATURE_MEM_TRACK and
FEATURE_LAZY_PAGES is supported.
Signed-off-by: Adrian Reber <areber@redhat.com>

if user has lxc.rootfs.path = /some/path/foo, but can't access
some piece of that path, then we'll get an unhelpful "failed to
mount" without any indication of the problem.

At least show that there is a permission problem.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

confile: add lxc.hook.version

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unblocks #2013.
Unblocks #2015.
Closes #1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unblocks #2013.
Unblocks #2015.
Closes #1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unblocks #2013.
Unblocks #2015.
Closes #1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This can be used by scripts to detect what version of the hooks are used.

Unblocks #2013.
Unblocks #2015.
Closes #1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unblocks #2013.
Unblocks #2015.
Closes #1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix cgroup namespace preservation

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

...otherwise we'll kill everyone on the machine. Instead, let's explicitly
try to kill our children. Let's do a best effort against fork bombs by
disabling forking via the pids cgroup if it exists. This is best effort for
a number of reasons:

* the pids cgroup may not be available
* the container may have bind mounted /dev/null over pids.max, so the write
  doesn't do anything
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

coverity: bugfixes

lxccontainer: only attach netns on netdev detach

tools: block using lxc-execute without config file

conf: avoid spawning unnecessary subshells