Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Veres Lajos <vlajos@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

There are now two (permitted) ways to add data to netlink message:

 1. put_xxx()
 2. call nlmsg_reserve() to get a pointer to newly reserved room within the
    original netlink message, then write or memcpy data to that area.

Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.

And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

The previous error message made it look like the host interface name was
the concatenation of both the host and guest interface names.

Closes #374
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit e71549fcSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 67c660d0Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This reverts commit 55ae7edb.

This change caused hangs in the testsuite, specifically with lxc-user-nic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Ran into this when trying to automate stgraber's "GUI in containers"
post.
Signed-off-by: Casey Marshall <casey.marshall@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This is a copy of patch version 3 for issue #278 on the issue-tracker:

 - Allow multiple bind-mounts (--bdir) and multiple cow-mounts (--cdir).

 - Further fixes to permissions throughout lxc-start-ephemeral (annotated
   in the code).

Signed-off by: Oleg Freedholm <overlayfs@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Since it's no longer written in lua.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>

There are now two (permitted) ways to add data to netlink message:

1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
   original netlink message, then write or memcpy data to that area.

Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.

And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Disabled building openSUSE containers on openSUSE 13.2 and  openSUSE
Tumbleweed due to faulty behaviour with newer versions of
init_buildsystem.
Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Create a tty so we get login prompt on console by default
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

nlmsg_len is the length of message including header.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Reported-by: David Binderman
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Bind mounts do not honor filesystem mount options. This change will
remount filesystems that are bind mounted if there are changes to
filesystem mount options, specifically if the mount is readonly.
Signed-off-by: Abin Shahab <ashahab@altiscale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

* fix "reg" to "req" in English (fix for commit b8683fef)
* change "opt" to "req" in Japanese
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 0dcbd624Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Closes: #355
Signed-off-by: Silvio Fricke <silvio.fricke@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: 謝致邦 <Yeking@Red54.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: 謝致邦 <Yeking@Red54.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This adds OpenWrt common config file.
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Support creation and use of lxc-cirros by unprivileged users.

If we detect we are an unprivileged user, then insist that we
be in a userns with a id mapping.

If we are in a userns, then don't extract /dev when extracting
the rootfs.

If we are not root, then save the tarball to ~/.cache/lxc/cirros
instead of /var/cache/lxc/cirros.

If we are not roo, then include entries to auto-mount proc and sys,
as well as bind-mount devices.

Cc: Scott Moser <smoser@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This is a multipart message in MIME format.

Fixes a small (but consistent) spelling mistake in conf.c
Signed-off-by: Joel Nider <joeln@il.ibm.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>