Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

This reverts commit 37d5831e.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

When users pass -1 there's there won't be an escape sequence to exit the
console so no need to print a misleading info message about how to detach.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This avoids the dance of updating the list of valid releases every time
Debian makes a new release.

It also fixes the following bug: even though lxc-debian will default to
creating containers of the latest stable by querying the archive, it
won't allow you to explicitly request `stable` because the current list
of valid releases don't include it.

Last, but not least, avoid hitting the mirror in the case the desired
release is one of the ones we know will always be there, i.e. stable,
testing, sid, and unstable.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

Doing that confuses locale generation. lxc-ubuntu does the same check
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

Brings the number of open fds in the monitor process for a standard container
without ttys down to 17.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The console struct is internal and liblxc takes care of creating paths.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Being able to create `testing` containers, regardless of what's the name
of the next stable, is useful in several contexts, included but not
limited to testing purposes. i.e. one won't need to explicitly switch to
`bullseye` once `buster` is released to be able to continue tracking
`testing`. While we are at it, let's also enable `unstable`, which is
exactly the same as `sid`, but there is no reason for not being able to.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

This template would always add "en-US.UTF-8" to the end of the container's locale.gen, which in turn confused locale-gen.
Signed-off-by: Fridtjof Mund <fridtjofmund@gmail.com>

mem and kmem are really in /dev, so this does us no good.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Update for commit e3dd06efSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

- rework and fix pipe fd leak
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

To match names beginning with the letters "f" or "b" one can use
the regular expression "[fb].*" or "(f|b).*", but not "[f|b].*",
which would match strings beginning with "f", "|", or "b".
Signed-off-by: Christian von Roques <roques@z12.ch>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Remove executable bit.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Mimic the code from the debian template.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The httpredir.debian.org service has been discontinued in favour of
deb.debian.org and httpredir.debian.org now redirects to deb.debian.org.

https://lists.debian.org/debian-mirrors/2017/02/msg00000.html
https://wiki.debian.org/DebianGeoMirror#httpredir.debian.org_.2F_http.debian.net

Cf. https://bugs.debian.org/872719Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>

Somehow "type" doesn't really work.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Shukui Yang <yangshukui@huawei.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

(updated by Serge to also handle hte new lxc-fedora{-legacy{.in
templates)
Signed-off-by: Harald Dunkel <harri@afaics.de>
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Serge Hallyn <serge@hallyn.com>

Signed-off-by: Long Wang <w@laoqinren.net>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Long Wang <w@laoqinren.net>

Signed-off-by: Long Wang <w@laoqinren.net>

It is not necessary to unlink the abstract socket pathname when
we have finished using the socket. The abstract name is automatically
removed when the socket is closed.
Signed-off-by: Long Wang <w@laoqinren.net>

This patch allows users to start containers in AppArmor namespaces.
Users can define their own profiles for their containers, but
lxc-start must be allowed to change to a namespace.

A container configuration file can wrap a container in an AppArmor
profile using lxc.aa_profile.

A process in an AppArmor namespace is restricted to view
or manage only the profiles belonging to this namespace, as if no
other profiles existed. A namespace can be created as follow:
sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/$NAMESPACE

AppArmor can stack profiles so that the contained process is bound
by the intersection of all profiles of the stack. This is achieved
using the '//&' operator as follow:

lxc.aa_profile = $PROFILE//&:$NAMESPACE://unconfined

In this case, even the guest process appears unconfined in the
namespace, it is still confined by $PROFILE.

A guest allowed to access "/sys/kernel/security/apparmor/** rwklix,"
will be able to manage its own profile set, while still being
enclosed in the topmost profile $PROFILE:

Different guests can be assigned the same namespace or different
namespaces. In the first case, they will share their profiles.
In the second case, they will have distinct sets of profiles.

This is validated on privileged containers.
Signed-off-by: Frédéric Dalleau <frederic.dalleau@collabora.com>

Signed-off-by: Long Wang <w@laoqinren.net>

Signed-off-by: Long Wang <w@laoqinren.net>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>