If lxc_add_state_client() is called with the container already being in
the desired state the client fd will never be closed and is leaking.
This due to setting stay_connected in lxc_cmd for
LXC_CMD_ADD_STATE_CLIENT. If the desired state isn't already achieved
the client fd will later be closed by calling lxc_cmd_fd_cleanup() but
in the other case the client configuration isn't added to the handlers
state clients. So the client fd has to be closed explicitely.

This is simply tested by starting container A and calling lxc-wait -n A
-s RUNNING.
Signed-off-by: Matthias Hardt <matthias.hardt@gmail.com>

network: Adds short sleep between veth setup and neighbour proxy add

network: Uses netlink for IP neighbour proxy management

There is an intermittent issue, experienced on at least Ubuntu 18.04 (5.3.0-40-generic) and Alpine 3.11 (5.4.12-1-virt) when using the router network interface type that causes the IP proxy neighbour entries on the host side of the veth pair to not be created.

The `ip neigh add proxy` command returns without an error, however by the time the network up hook has started the IP neighbour proxy entries are no longer there (if they ever were).

I've also tested this using netlink rather than the ip command to add and both are equally affected.

Adding a short sleep between setting up the veth pair and adding the proxy entries appears to fix it.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Removes need for ip command when managing IP neighbour proxies.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

utils: only move_fd() when fdopen() has been successful

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

src/lxc/raw_syscalls.c: fix sparc assembly

Build of lxc 3.2.1 fails with ultrasparc on:

raw_syscalls.c: In function ‘lxc_raw_clone’:
raw_syscalls.c:66:3: error: invalid 'asm': invalid operand output code
   asm volatile(
   ^~~

Issue has been added with commit
b52e8e68 which added %g1 instead of %%g1

Fixes:
 - http://autobuild.buildroot.org/results/17c2319850f02f24da6fbef9656c07f86fdc5a3aSigned-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

cgroups: honor lxc.cgroup.pattern if set explicitly II

Link: https://discuss.linuxcontainers.org/t/lxc-cgroup-pattern-is-not-being-honoredSigned-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: honor lxc.cgroup.pattern if set explicitly

Link: https://discuss.linuxcontainers.org/t/lxc-cgroup-pattern-is-not-being-honoredSigned-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove unused method and cleanup cgroup_exit()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: improve setgroups() dropping

Drop groups before we change to userns root.
Reported-by: Teddy Reed <teddy.reed@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxclock: fix a small memory leak

if (!name), we allocate an unnamed semaphore, but if we then fail to
allocate/create the lock, we don't free this semaphore, and we just leak
it.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

container.conf: Fix parsing of config options:

Add a comment that documents that more specific options of a
namespace have to be added above more generic options in
config_jump_table.
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

Currently lxc.selinux.context.keyring is placed after
lxc.selinux.context in config_jump_table. This entails that if
lxc.selinux.context.keyring is specified, lxc.selinux.context will be
matched to that option. This commit places the
lxc.selinux.context.keyring before lxc.selinux.context
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

This commit fixes a off by 2 in config option parsing
(due to missing parenthesis). The error occurs if for instance
lxc.net.0.type is parsed. In that case, the .0 is removed from the
string. However, due to the missing parenthesis, the null terminating
character is off by two which means the modified config option would
be lxc.net.typepe instead of lxc.net.type.
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

Add keyring option

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

lxc set's up a new session keyring for every container by default.
There might be valid use-cases where this is not wanted / needed
(e.g. systemd by default creates a new session keyring anyway).
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

lxc set's up a new session keyring for every container by default.
If executed on an SELinux enabled system, by default, the keyring
inherits the label of the creating process. If executed with the
currently available SELinux policy, this means that the keyring
is labeled with the lxc_t type. Applications inside the container,
however, might expect that the keyring is labeled with a certain
context (and will fail to access the keyring if it's not explicitly
allowed in the global policy). This patch introduces the config
option lxc.selinux.context.keyring which enables to specify the
label of the newly created keyring. That is, the keyring can be
labeled with the label expected by the started application.
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

cgroups: fix default cgroup pattern

Signed-off-by: Kirill Petrov <yakutskkirill@mail.ru>

start: fix container killing logic

We need to account for the case where pidfd's are not supported by the kernel
in question.

Closes: #3254
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: Restore fixed MTU functionality

If MTU setting is provided in network device config then always use it rather than inheriting from the link device.

Affected both bridge and router veth modes.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

test: increase timeout for api reboot tests

cgroup.c: fix memory leak at cgroup init failed

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: LiFeng <lifeng68@huawei.com>

network: improve veth device creation