Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: preserve ABI compatibility

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

arguments: print "-devel" when LXC_DEVEL is true

liblxc should inform users that they are using a devel version. This will have
liblxc print

    MAJOR.MINOR.PATCH-devel

if LXC_DEVEL is true and

    MAJOR.MINOR.PATCH

otherwise.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

init: rework dumb init

POC: container live patching

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This adds set_running_config_item() which is the analogue of
get_running_config_item(). In essence it allows a caller to livepatch the
container's in-memory configuration. This POC is severly limited. Here are the
most obvious ones:
- Only the container's in-memory config can be updated but no further actions
  (e.g. on-disk actions) are made.
- Only keys in the "lxc.net." namespace can be changed. This POC also allows
  updating an existing network. For example it allows to change the network
  type of an existing network. This is obviously nonsense and in a non-POC
  implementation this should be blocked.

Use Case:
Callers can hotplug a new network for the container. For example, LXD can
create a pair of veth devices in the host and in the container and add it to
the container's in-memory config. This means, the container can later be
queried for the name of the device later on etc. Note that liblxc will
currently not delete hotplugged network devices on container shutdown since it
won't have the ifindex of the container.

Relates to https://github.com/lxc/lxd/issues/3920 .
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: make update warning opt-in

Before exec()ing we need to become session leader otherwise some shells will
not be able to correctly initialize job control.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

With the release LXC 2.1 we started warning users who use LXC through the API
and users who use LXC through the tools equally about updating their config.
This quickly got confusing and annoying to API users who e.g. generate configs
on the fly (e.g. LXD). So instead of unconditionally warning users we make this
opt-in. If LXC detects that the env variable LXC_UPDATE_CONFIG_FORMAT is set
then it will warn the user if any legacy configuration keys are present. If it
is not set however, it will not warn the user. This is ok, since the log will
still log WARN()s for all legacy configuration keys.
The tools will all set LXC_UPDATE_CONFIG_FORMAT since it is very much required
that users update to the new configuration format pre-LXC 3.0.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Don't force getty@ configuration

Add lxc.hook.start-host and lxc.execute.cmd to Japanese man page

* Add lxc.execute.cmd to Japanese lxc.container.conf(5)
* Tweak the description of the "INIT COMMAND" section and lxc.init.cmd
  in en and ja man pages.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update for commit 08dd2805Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

implement lxc_string_split_quoted

confile: ignore lxc.kmsg and lxc.pivotdir 

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_string_split_quoted() splits a string on spaces, but keeps
groups in single or double qoutes together.  In other words,
generally what we'd want for argv behavior.

Switch lxc-execute to use this for lxc.execute.cmd.

Switch lxc-oci template to put the lxc.execute.cmd inside single
quotes, because parse_line() will eat those.  If we don't do that,
then if we have lxc.execute.cmd = /bin/echo "hello, world", then the
last double quote will disappear.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

Add OCI container creation template

Closes #1813

This adds preliminary (but working) support for creating application
containers from OCI formats.  Examples:

create a container from a local OCI layout in ../oci:

    sudo lxc-create -t oci -n a1 -- -u oci:../oci:alpine

Or, create a container pulling from the docker hub.

    sudo lxc-create -t oci -n u1 -- -u docker://ubuntu

The url is specified in the same format as for 'skopeo copy'.

Comments appreciated.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

drop useless apparmor denies

mem and kmem are really in /dev, so this does us no good.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Signed-off-by: Serge Hallyn <shallyn@cisco.com>

 network: clear ifindeces

We need to clear any ifindeces we recorded so liblxc won't have cached stale
data which would cause it to fail on reboot we're we don't re-read the on-disk
config file.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

add a pre-start-host hook

This should satisfy several use cases.  The one I tested for was CNI.
I replaced the network configuration in a root owned container with:

lxc.net.0.type = empty
lxc.hook.start-host = /bin/lxc-start-netns

where /bin/lxc-start-netns contained:

=================================

echo "starting" > /tmp/debug
ip link add host1 type veth peer name peer1
ip link set host1 master lxcbr0
ip link set host1 up
ip link set peer1 netns "${LXC_PID}"
=================================

The nic 'peer1' was placed into the container as expected.

For this to work, we pass the container init's pid as LXC_PID in
an environment variable, since lxc-info cannot work at that point.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

Add support share pid namespace

Signed-off-by: LiFeng <lifeng68@huawei.com>

start: don't close inherited namespace fds

Otherwise we can never share namespaces.
Signed-off-by: LiFeng <lifeng68@huawei.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

cgfsng: check whether we have a conf

We can't rely in general on the presence of an initialized conf on cgroup init
time. One good example are our criu codepaths.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: Translate lxc-update-config(1) into Japanese