the new lxcpath and lxcname are not optional
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

The new task waits until the container is STOPPED, then asks
openvswitch to delete the port.

This requires two new arguements to be sent to lxc-user-nic.
Since lxc-user-nic ships with lxc, this shouldn't be a problem.

Finally when calling lxc-user-nic, use execlp insteac of execvp
to preserve lxcpath's const-ness.  Technically we are
guaranteed that execvp won't change the args, but it's worth
it to silence the warnings (and not hide real errors).

With this patch, container nics are cleaned up from openvswitch
bridges on shutdown.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

- With the -g/--groups argument the user can give a comma-separated list of
  groups MUST a container must have in order to be displayed. We receive
  this list as a single string. ls_has_all_grps() is called to check if a
  container has all the groups of MUST in its current list of groups HAS. I.e.
  we determine whether MUST ⊆ HAS and only then do we record the container.
  The original implementation was dumb in that it split the string MUST
  everytime it needed to check whether MUST ⊆ HAS for a given container. That's
  pointless work. Instead we split the string MUST only once in main() and pass
  it to ls_get() which passes it along to ls_has_all_grps().
- Before doing any costly checking make sure that #MUST <= #HAS. If not bail
  immediately.
- The linear search algorithm ls_has_all_grps() currently uses stays for now.
  Binary search et al. do not seem to make sense since sorting the array HAS
  for each container is probably too costly. Especially, since it seems
  unlikely that a users specifies 50+ or so groups on the command line a
  container must have to be displayed. If however there are a lot of use-cases
  where users have a lot of containers each with 50-100 groups and regularly use
  lxc-ls with -g/--groups to only show containers that have 50 specified groups
  among their 50-100 groups we can revisit this issue and implement e.g. binary
  search or a ternary search tree.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

In the Python implementation users could pass a regex without a parameter flag
as additional argument on the command line. The C implementation gained the
flag -r/--regex for this. To not irritate users we restore the old behaviour
and additionally rename -r/--regex to --filter to allow eplicitly passing the
regex.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

- If lxc_container_new() fails we check for ENOMEM and if so goto out. If
  ENOMEM is not set we will simply continue. The same goes for the call to
  regcomp() but instead of checking for ENOMEM we need to check for REG_ESPACE.

- Tweaking: Since lxc-ls might have to gather a lot of containers and I don't
  know if compilers will always optimize this let's move *some* variable
  declarations outside of the loop when it does not hinder readability

- Set ls_nesting to 0 initially. Otherwise users will always see nested
  containers printed.

- ls_get() gains an argument char **lockpath which is a string pointing us to
  the lock we put under /run/lxc/lock/.../... so that we can remove the lock
  when we no longer need it. To avoid pointless memory allocation in each new
  recursion level we share lockpath amongst all non-fork()ing recursive call to
  ls_get().  As it is not guaranteed that realloc() does not do any memory
  moving when newlen == len_lockpath, we give ls_get() an additional argument
  size_t len_lockpath). Every time we have a non-fork()ing recursive call to
  ls_get() we check if newlen > len_lockpath and only then do we
  realloc(*lockpath, newlen * 2) a reasonable chunk of memory (as the path will
  keep growing) and set len_lockpath = newlen * 2 to pass to the next
  non-fork()ing recursive call to ls_get().
  To avoid keeping a variable char *lockpath in main() which serves no purpose
  whatsoever and might be abused later we use a compound literal
  &(char *){NULL} which gives us an anonymous pointer which we can use for
  memory allocation in ls_get() for lockpath. We can conveniently free() it in
  ls_get() when the nesting level parameter lvl == 0 after exiting the loop.
  The advantage is that the variable is only accessible within ls_get() and not
  in main() while at the same time giving us an easy way to share lockpath
  amongst all non-fork()ing recursive calls to ls_get().
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This reverts commit 7f3c1cf2.

This reverts commit e4434e0f.

In the Python implementation users could pass a regex without a parameter flag
as additional argument on the command line. The C implementation gained the
flag -r/--regex for this. To not irritate users we restore the old behaviour
and additionally rename -r/--regex to --filter to allow eplicitly passing the
regex.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

- If lxc_container_new() fails we check for ENOMEM and if so goto out. If
  ENOMEM is not set we will simply continue. The same goes for the call to
  regcomp() but instead of checking for ENOMEM we need to check for REG_ESPACE.

- Tweaking: Since lxc-ls might have to gather a lot of containers and I don't
  know if compilers will always optimize this, let's move *some* variable
  declarations outside of the loop when it does not hinder readability.

- Set ls_nesting to 0 initially. Otherwise users will always see nested
  containers printed.

- ls_get() gains an argument char **lockpath which is a string pointing us to
  the lock we put under /run/lxc/lock/.../... so that we can remove the lock
  when we no longer need it. To avoid pointless memory allocation in each new
  recursion level, we share lockpath amongst all non-fork()ing recursive calls
  to ls_get().  As it is not guaranteed that realloc() does not do any memory
  moving when newlen == len_lockpath, we give ls_get() an additional argument
  size_t len_lockpath). Every time we have a non-fork()ing recursive call to
  ls_get() we check if newlen > len_lockpath and only then do we
  realloc(*lockpath, newlen * 2) a reasonable chunk of memory (as the path will
  keep growing) and set len_lockpath = newlen * 2 to pass to the next
  non-fork()ing recursive call to ls_get().
  To avoid keeping a variable char *lockpath in main() which serves no purpose
  whatsoever and might be abused later we use a compound literal
  &(char *){NULL} which gives us an anonymous pointer. This pointer we can use
  for memory allocation in ls_get() for lockpath. We can conveniently free() it
  in ls_get() when the nesting level parameter lvl == 0 after exiting the loop.
  The advantage is that the variable is only accessible within ls_get() and not
  in main() while at the same time giving us an easy way to share lockpath
  amongst all non-fork()ing recursive calls to ls_get().
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Explain that multiple /lower layers can be used.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Do it in a safe way by using strstr() to check for the substring ":/" should
':' be part of a pathname.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Do it in a safe way by using strstr() to check for the substring ":/" should
':' be part of a pathname. This should be a safer implementation than the one
originally suggested in #547.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

The safe_mount function was introduced in order to address CVE-2015-1335,
one of the vulnerabilities being a mount with a symlink for the
destination path. In scenarios such as lxc-execute with no rootfs, the
destination path is the host /proc, which is previously mounted by the
host, and is unmounted and mounted again in a new set of namespaces,
therefore eliminating the need to check for it being a symlink.

Mount the rootfs normally if the rootfs is NULL, keep the safe mount
only for scenarios where a different rootfs is defined.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

- explain new numeric argument to --nesting
- include common options as lxc-ls now uses the standard lxc parser
- add history section and update authors
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

They change a value and return true on success rather than
fetching the value as the comments previously suggested.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Otherwise users will always get nested containers listed.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

The following patch fixes memory alignment and endianness
issue while doing a snapshot deletion with btrfs as a
backing store on platform such as sparc.

The implementation is taken from btrfs-progs.

Changes since v1:
- include <byteswap.h> for bswap definition
- include defined function name as a comment above BTRFS_SETGET_STACK_FUNCS
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Check if we're really on a btrfs filesystem before we call btrfs_same_fs().
Otherwise we will report misleading errors although everything went fine.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

As ls_get() is non-tail recursive we face the inherent danger of blowing up the
stack at some level of nesting. To have at least some security we define
MAX_NESTLVL to be 5. That should be sufficient for most users. The argument lvl
to ls_get() can be used to keep track of the level of nesting we are at. If lvl
is greater than the allowed default level return (without error) and unwind the
stack.

--nesting gains an optional numeric argument. This allows the user to specify
the maximum level of nesting she/he wants to see. Fair warning: If your nesting
level is really deep and/or you have a lot of containers your might run into
trouble.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

No reason for these to be +x, and it looks weird.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

When running application containers with lxc-execute, /dev is
populated only with device entries. Since /dev is a tmpfs mount in
the container environment, the /dev/shm folder not being present is not
a sufficient reason for the /dev/shm mount to fail.

Create the /dev/shm directory if not present.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

In the current implementation, the open_without_symlink function
will default to opening the root mount only if the passed rootfs
prefix is null. It doesn't account for the case where this prefix
is passed as an empty string.

Properly handle this second case as well.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Should be mentioned separately because it will reset a big group of options.
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

The lock path for lxc is not

	RUNTIME_PATH/lock/lxc

but rather

	RUNTIME_PATH/lxc/lock
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

More general for all list options.

Seems to currently affect:
lxc.network (clear all NICs)
lxc.network.* (clear current NIC)
lxc.cap.drop
lxc.cap.keep
lxc.cgroup
lxc.mount.entry
lxc.mount.auto
lxc.hook
lxc.id_map
lxc.group
lxc.environment
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 7eff30fdSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 07945418Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Refactor templates section of .gitignore - no need to specify individual templates anymore

.gitignore: add missing templates/sparclinux to ignore list

Fix Comment inside Fedora Template

Signed-off-by: Bostjan Skufca <bostjan@a2o.si>

Signed-off-by: Bostjan Skufca <bostjan@a2o.si>

We no longer use mirrors.kernel.org.
Commit f71e8f41 switched it to archives.fedoraproject.org
Signed-off-by: Nehal J Wani <nehaljw.kkd1@gmail.com>

Show the ifindex in case it's useful
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Add openSUSE Leap release in opensuse template

Otherwise every lxc-info by a user who doesn't own all his cgroups
will result in a set of error messages which are really innocuous.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>