Template catches arch from uname -m, but for ppc64el system, arch reports ppc64le
which doesn't match image repo.
Signed-off-by: Thierry Fauck <tfauck@free.fr>
Signed-off-by: Serge Hallyn <serge@hallyn.com>

doc: Add lxc.no_new_privs to Japanese lxc.container.conf(5)

Update for commit 222ddc
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

implement PR_SET_NO_NEW_PRIVS in liblxc

make rsync deal with sparse files efficiently

Signed-off-by: Lukas Pirl <git@lukas-pirl.de>

c/r: free valid_opts if necessary

2cb80427 introduced a malloc without a
matching free.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

lxczfs: small fixes

- We expect destroy to fail in zfs_clone() so try to silence it so users are
  not irritated when they create zfs snapshots.
- Add -r recursive to zfs_destroy(). This code is only hit when a) the
  container has no snapshots or b) the user calls destroy with snapshots. So
  this should be safe. Without -r snapshots will remain.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

c/r: zero a smaller than known migrate_opts struct

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

templates: use correct cron version in alpine template

Signed-off-by: Alex Athanasopoulos <alex@melato.org>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

- When we detect that the container, we want to attach to, has been stared with
  PR_SET_NO_NEW_PRIVS we attach with PR_SET_NO_NEW_PRIVS as well. (We might
  relax this restriction later but let's be strict for now.)
- When LXC_ATTACH_NO_NEW_PRIVS is set in the flags passed to
  lxc_attach()/attach_child_main() then we set PR_SET_NO_NEW_PRIVS irrespective
  of whether the container was started with PR_SET_NO_NEW_PRIVS or not.
- Set no_new_privs before lsm and seccomp. We probably don't want attach() to
  be able to change the lsm or seccomp policy if the container was started with
  PR_SET_NO_NEW_PRIVS enabled.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

We will reuse the newly initialized container for PR_SET_NO_NEW_PRIVS.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Add a flag for PR_SET_NO_NEW_PRIVS. It is off by default.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Set no_new_privs after setting the lsm label. If we do set it before we aren't
allowed to change the label anymore.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

configure: add --disable-werror

syslog tweaks

console: use correct log name

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

- add lxc_syslog_priority_to_string()
- add lxc_syslog_priority_to_int()
- remove syslog_facility struct
- add lxc.syslog to lxc_getconfig struct
- adapt config_syslog() callback
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

-Werror may break builds on some scenarios with trivialities
(especially during developments).
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>

lxc_console is used with lxc_console.c
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

templates: remove creation of bogus directory in Debian templates

An incorrect quoting introduced in bf39edb3 caused a /{lib,etc} folder to
appear in Debian templates

The very next line :
    mkdir -p "${rootfs}/etc/systemd/system/getty.target.wants

makes creating ${rootfs}/etc/systemd/system/ unnecessary in the first
place
Signed-off-by: Maxime Besson <maxime.besson@smile.fr>

templates: rm halt.target -> sigpwr.target symlink

Given commit 330ae3d3:

    lxccontainer: detect if we should send SIGRTMIN+3

    This is required by systemd to cleanly shutdown. Other init systems should not
    have SIGRTMIN+3 in the blocked signals set.

we should stop symlinking halt.target to sigpwr.target for systemd.
Signed-off-by: Christian Brauner <cbrauner@suse.de>

set FULL_PATH_NAMES=NO in doc/api/Doxyfile

otherwise the generated docs have the full build path in them
and nonbody cares that the files were built in
 /build/lxc-_BVY2u/lxc-2.0.4/src/lxc/
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Migration fixes

Previously, we write a "success" status but tried to parse the pid. This
meant that we wouldn't notice a successful restore but failure to parse the
pid, which was a little strange.

We still don't know the child pid, so we will end up with a restored
process tree and a running container, but at least in this case the API
will return false indicating that something failed.

We could kill(-1, 9) in this case, but since liblxc runs as root sometimes
(e.g. LXD), that would be a Very Bad Thing.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

c/r: Fix pid_t on some arches