Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

template: oci template supports for char user info

oci template changes character user info to uid, gid
according to OCI image spec.

Signed-off-by: Jungsub Shin jungsub_shin@tmax.co.kr

cgroups: tweaks

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: implement monitor cgroup deletion

tree-wide: fix includes to fix bionic builds

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

netns_ifaddrs: fix missing include

doc: Add -u and -g args to Japanese lxc-attach(1) and lxc-execute(1)

Update for commit ddd51fdb and 08401048Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: add __hot attribute

compiler: fix __noreturn on bionic

This instructs the compiler to better optimize the config parsing code.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The same way we need to ensure that no existing cgroups are reused for
the payload in cgfsng_payload_create() we need to ensure that no
existing cgroups are reused for the monitor. Technially this is less of
an issue since there currently is no logic for the monitor to apply
limits to its cgroup but it is still the proper way to do it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Since we switched to the new cgroup scoping scheme that places the
container payload into lxc.payload/<container-name> and
lxc.monitor/<container-name> deletion becomes slightly more complicated.
The monitor will be able to rm_rf(lxc.payload/<container-name>) but will
not be able to rm_rf(lxc.monitor/<container-name>) since it will be
located in that cgroup and it will thus be populated.
My current solution to this is to create a lxc.pivot cgroup that only
exists so that the monitor process on container stop can pivot into it,
call rm_rf(lxc.monitor/<container-name>) and can then exit. This group
has not function whatsoever apart from this and can thus be shared by
all monitor processes.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

apparmor: account for specified rootfs path (closes #2617)

cgfsng: set errno to ENOENT on get_hierarchy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

stop: Only freeze if freezer is available

Closes #2644
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

network: add netns_getifaddrs() implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This commit introduces my concept of a network namespace aware
getifaddrs(), i.e. netns_getifaddrs(). This presupposes a kernel that
carries my IF{L}A_TARGET_NETNSID patches:

struct netns_ifaddrs {
        struct netns_ifaddrs *ifa_next;

        /* Can - but shouldn't be - NULL. */
        char *ifa_name;

        /* This field is not present struct ifaddrs. */
        int ifa_ifindex;

        unsigned ifa_flags;

        /* This field is not present struct ifaddrs. */
        int ifa_mtu;

        /* This field is not present struct ifaddrs. */
        int ifa_prefixlen;

        struct sockaddr *ifa_addr;
        struct sockaddr *ifa_netmask;
        union {
                struct sockaddr *ifu_broadaddr;
                struct sockaddr *ifu_dstaddr;
        } ifa_ifu;

        /* If you don't know what this is for don't touch it. */
        void *ifa_data;
};

which is a superset of struct ifaddrs. It contains additional
information such as the mtu, ifindex of the interface and the prefix
length of the address.
Note that the field ordering is different. So don't get any ideas of
using memcpy() to copy from an old struct ifaddrs into a struct
netns_ifaddrs.

int netns_getifaddrs(struct netns_ifaddrs **ifap, __s32 netns_id, bool *netnsid_aware)

takes a network namespace identifier as argument which identifies the
target network namespace.
If successfull, i.e. netns_getifaddrs() returns 0, callers should check
the bool *netnsid_aware return argument. If it is true then
RTM_GET{ADDR,LINK} requests are fully netnsid aware. If it is false then
they are not and the information returned in struct netns_ifaddrs does
*not* contain correct information about the target network namespace
identified by netnsid.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: compiler based hardening

compiler: __attribute__((noreturn)) on bionic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add STRLITERALLEN() and STRARRAYLEN()