Signed-off-by: Serge Hallyn <shallyn@cisco.com>

lxc2 broke this feature for lxc-execute, and lxc3 broke it for
lxc-attach. This adds a test making sure we don't do the same mistake
a third time.
Signed-off-by: Florian Margaine <florian@platform.sh>

Callers expect a NULL on error, and with PR #3171 marking
the pointer as __do_free, we now return a pointer to freed
memory here otherwise.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

In case the internal memfd_create has to be used, make sure we don't
clash with the already existing memfd_create function from glibc.

This can happen if this glibc function is a stub. In this case, at
./configure time, the test for this function will return false, however
the declaration of that function is still available. This leads to
compilation errors.
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

Partially reverts 65b92ea5 so that trying to destroy a non-existent container gives an error message.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Update for commit 767bd70aSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

When calling "man lxc.container.conf", an internal "man" keyword is displayed :

$ man lxc.container.conf
[...]
lxc.mount.entry
              Specify a mount point corresponding to a line in the fstab format.  Moreover lxc supports mount  propagation,  such  as
              rslave  or  rprivate, and adds three additional mount options.  optional don't fail if mount does not work.  create=dir
              or create=file to create dir (or file) when the point will be mounted.  relative source path is taken to be relative to
              the mounted container root. For instance,

dev/null proc/kcore none bind,relative 0 0
              .fi     <-----------------------------------UNEXPECTED KEYWORD !!!!

The problem seems to come from the missing blanks before "dev/null proc/kcore none bind,relative 0 0"

Moreover, for homogeneity purposes, it is better to use the "programlisting" tag used in the rest of the text instead of  "screen".
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Update for commit 0684250fSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Caio B. Silva <caioboffo@gmail.com>

Signed-off-by: Lukas Jelinek <lukas.jelinek@nic.cz>

Signed-off-by: Caio B. Silva <caioboffo@gmail.com>

In the usual case the child runs in a separate pid namespace. So far we haven't
been able to reliably set the pdeath signal. When we set the pdeath signal we
need to verify that we haven't lost a race whereby we have been orphaned and
though we have set a pdeath signal it won't help us since, well, the parent is
dead.
We were able to correctly handle this case when we were in the same pidns since
getppid() will return a valid pid. When we are in a separate pidns 0 will be
returned since the parent doesn't exist in our pidns.
A while back, while Jann and I were discussing other things he came up with a
nifty idea: simply pass an fd for the parent's status file and check the
"State:" field. This is the implementation of that idea.
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Alban VIDAL <zordhak@debian.org>

allow users to configure the option --enable-feature or --with-package, if an option is given run shell commands action-if-given
Signed-off-by: Caio B. Silva <caioboffo@gmail.com>

Signed-off-by: Caio B. Silva <caioboffo@gmail.com>

* translate pam_cgfs(8)
* support --{enable,disable}-{commands,tools} in doc/ja
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Venkata Harshavardhan Reddy Allu <venkataharshavardhan_ven@srmuniv.edu.in>

Signed-off-by: Caio B. Silva <caioboffo@gmail.com>

Some applications use information from LOOP_GET_STATUS64. The file
associated with loop device is pointed inside structure field
`lo_file_name`. The current code is setting up a loop device without
this information. A legacy example of code checking this is cryptsetup:

    static char *_ioctl_backing_file(const char *loop)
    {
        struct loop_info64 lo64 = {0};
        int loop_fd;

        loop_fd = open(loop, O_RDONLY);
        if (loop_fd < 0)
            return NULL;

        if (ioctl(loop_fd, LOOP_GET_STATUS64, &lo64) < 0) {
            close(loop_fd);
            return NULL;
        }

        lo64.lo_file_name[LO_NAME_SIZE-2] = '*';
        lo64.lo_file_name[LO_NAME_SIZE-1] = 0;

        close(loop_fd);
        return strdup((char*)lo64.lo_file_name);
    }

It will return an empty string because lo_file_name was not set.
Signed-off-by: Julio Faracco <jcfaracco@gmail.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Pierre-Elliott Bécue <becue@crans.org>

Commit ae68cad7 introduced a regression that
makes lxc-attach ignore the exit status of the executed command. This was first
identified in 3.0.4 LTS, while it worked on 3.0.3.

  # lxc-attach --version
  3.0.4
  # lxc-attach -n test false; echo $?
  0
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934983

When pure cgroup unified mode is used we cannot pre-mount a tmpfs as this
confuses systemd.
Users should also set lxc.mount.auto = cgroup:force to ensure that systemd in
the container and on the host use identical cgroup layouts.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fix: #3123
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Alexander Kriventsov <akriventsov@nic.ru>

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

``/proc`` might be mounted with ``hidepid=2``.
This makes ``/proc/1/…`` appear absent for non-root users.
When using the templates or the nvidia hook as a non-root user
(e.g., when creating unprivileged containers) the error
"/proc/1/uid_map: No such file or directory" is printed.
Since the script works correctly despite the error, this error
message might be confusing for users.
Signed-off-by: Lukas Pirl <git@lukas-pirl.de>

To be used when making file/directory names for containers (e.g. in lxccontainer.c)
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

To make the file/directory names, use the defines from macro.h
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

If SSL is enabled, utils will include function `do_sha1_hash()` to
generate a sha1 encrypted buffer. Last function argument of
`EVP_DigestFinal_ex()` requires a `unsigned int` but the current
parameter is an `integer` type.

See error:
utils.c:350:38: error: passing 'int *' to parameter of type 'unsigned int *' converts between pointers to integer types with different sign
      [-Werror,-Wpointer-sign]
        EVP_DigestFinal_ex(mdctx, md_value, md_len);
                                            ^~~~~~
/usr/include/openssl/evp.h:549:49: note: passing argument to parameter 's' here
                                  unsigned int *s);
Signed-off-by: Julio Faracco <jcfaracco@gmail.com>

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Closes #3108.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>