More general for all list options.

Seems to currently affect:
lxc.network (clear all NICs)
lxc.network.* (clear current NIC)
lxc.cap.drop
lxc.cap.keep
lxc.cgroup
lxc.mount.entry
lxc.mount.auto
lxc.hook
lxc.id_map
lxc.group
lxc.environment
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 7eff30fdSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

We no longer use mirrors.kernel.org.
Commit f71e8f41 switched it to archives.fedoraproject.org
Signed-off-by: Nehal J Wani <nehaljw.kkd1@gmail.com>

Show the ifindex in case it's useful
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

When preserving fds for the stop hook, make sure to also save
any fds we've inherited.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We were freeing one and setting a different one to NULL, eventually
leading to a crash when closing the netdev (at container shutdown)
and freeing already-freed memory.

Closes #732
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

`bash-completion` version 2.1 and later no longer include the `have` command,
and consequently the `lxc` competion file fails on such systems. The command is
now called `_have`.
Signed-off-by: Peter Simons <simons@cryp.to>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Closes #1459
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

nlmsg_reserve() might return NULL

        if (nlmsg_len + tlen > nlmsg->cap)
                return NULL;

Also set err = -ENOMEM where appropriate
Signed-off-by: Wim Coekaerts <wim.coekaerts@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

From b24b0e16848fbb93402a08efa3950cd59272b8da Mon Sep 17 00:00:00 2001
From: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Date: Sun, 3 Jan 2016 23:07:19 +0100
Subject: [PATCH] Documenting valueless lxc.cap.drop behaviour

Undocummented behaviour since 7d0eb87e.
Signed-off-by: Marko Hauptvogel <marko.hauptvogel@googlemail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

jenkins: ok to test
Signed-off-by: Tw <tw19881113@gmail.com>

As lxc_attach() calls fork() PyOS_AfterFork should be called in the new
process if the Python interpreter will continue to be used.
Signed-off-by: Danil Osherov <shindo@yandex-team.ru>

Signed-off-by: Eva Charlotte Mayer <eva-charlotte.mayer@posteo.de>

Signed-off-by: Wesley Marques <wesleymr.27@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

zgrep is a script provided by the 'gzip' package, which may not be
installed on embedded systems etc which use busybox instead of the
standard full-featured utilities.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>

Physical nic is not instantiated in lxc_create_network
Signed-off-by: Li Qiu <li.qiu@nomovok.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Closes #712
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This is to avoid:

https://errors.ubuntu.com/problem/d640a68bf7343705899d7ca8c6bc070d477cd845Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Check if symbols SCMP_ARCH_ARM and SCMP_ARCH_PPC are defined.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Generally we enforce that a [arch] seccomp section can only be used on [arch].
However, on amd64 we allow [i386] sections for i386 containers, and there we
also take [all] sections and apply them for both 32- and 64-bit.

Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
containers to run on arm64.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

In which case lxc will not update the apparmor profile at all.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

The commit: e5848d39 <netdev_move_by_index: support wlan> only
made netdev_move_by_name support wlan, instead of netdev_move_by_index.

Given netdev_move_by_name is a wrapper of netdev_move_by_index, so here
replacing all of the call to lxc_netdev_move_by_index with lxc_netdev_move_by_name
to let lxc-start support wlan phys.
Signed-off-by: fupan li <fupan.li@windriver.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This is currently breaking our daily image builds which happen in a
perfectly clean environment without a Debian keyring and without
anything in /var/cache/lxc
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

It breaks container starts.

This reverts commit 473ebc77.

Commit b6b2b194 preserves the container's namespaces for
possible later use in stop hook.  But some kernels don't have
/proc/pid/ns/ns for all the namespaces we may be interested in.
So warn but continue if this is the case.

Implement stgraber's suggested semantics.

 - User requests some namespaces be preserved:
    - If /proc/self/ns is missing => fail (saying kernel misses setns)
    - If /proc/self/ns/<namespace> entry is missing => fail (saying kernel misses setns for <namespace>)
 - User doesn't request some namespaces be preserved:
    - If /proc/self/ns is missing => log an INFO message (kernel misses setns) and continue
    - If /proc/self/ns/<namespace> entry is missing => log an INFO message (kernel misses setns for <namespace>) and continue
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc uses uname to check the kernel version.  Seccomp respects userspace.  In the case
of 32-bit userspace on 64-bit kernel, this was a bad combination.

When we run into that case, make sure that the compat seccomp context is 32-bit, and
the lxc->seccomp_ctx is the 64-bit.

Closes #654
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

When running the debian template on a non-debian host, it's usual not to
have debian-archive-keyring.gpg. When that happens, we skip the
signature checking of the release, which is dangerous because it's made over
HTTP.

This commit adds automatic fetching of Debian release keys.

Strongly related to #409
Signed-off-by: Virgil Dupras <hsoft@hardcoded.net>

This fixes invocations of certain commands when python3 is installed in
a nonstandard path (/usr/local/bin, for example).
Signed-off-by: Fox Wilson <2016fwilson@tjhsst.edu>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

 - Update list of supported releases
 - Make the fallback release trusty
 - Don't specify the compression algorithm (use auto-detection) so that
   people passing tarballs to the template don't see regressions.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

* fix "reg" to "req" in English (fix for commit b8683fef)
* change "opt" to "req" in Japanese
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

The systemd-sysctl service includes condition that /proc/sys/ has to be read-write.
In lxc only /proc/sys/net/ is read-write which causes the condition to fail and service not to run.
This patch changes the check to /proc/sys/net/ and makes the service apply only rules that are in net tree.
Signed-off-by: Jakub Sztandera <kubuxu@gmail.com>

Instead of duplicating the cleanup-code, once for success and once for failure,
simply keep a variable fret which is -1 in the beginning and gets set to 0 on
success or stays -1 on failure.
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

The mount_entry_overlay_dirs() and mount_entry_aufs_dirs() functions create
workdirs and upperdirs for overlay and aufs lxc.mount.entry entries. They try
to make sure that the workdirs and upperdirs can only be created under the
containerdir (e.g. /path/to/the/container/CONTAINERNAME). In order to do this
the right hand side of

                if ((strncmp(upperdir, lxcpath, dirlen) == 0) && (strncmp(upperdir, rootfs->path, rootfslen) != 0))

was thought to check if the rootfs->path is not present in the workdir and
upperdir mount options. But the current check is bogus since it will be
trivially true whenever the container is a block-dev or overlay or aufs backed
since the rootfs->path will then have a form like e.g.

        overlayfs:/some/path:/some/other/path

This patch adds the function ovl_get_rootfs_dir() which parses rootfs->path by
searching backwards for the first occurrence of the delimiter pair ":/". We do
not simply search for ":" since it might be used in path names. If ":/" is not
found we assume the container is directory backed and simply return
strdup(rootfs->path).
Signed-off-by: Christian Brauner <christianvanbrauner@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>