This patch fixes following build errors.

running build_ext
building '_lxc' extension
creating build/temp.linux-x86_64-3.4
gcc -pthread -Wno-unused-result -Werror=declaration-after-statement -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fPIC -I../../src -I../../src -I/usr/include/python3.4m -c lxc.c -o ./build/temp.linux-x86_64-3.4/lxc.o
lxc.c: In function ‘convert_tuple_to_char_pointer_array’:
lxc.c:49:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char **result = (char**) calloc(argc + 1, sizeof(char*));
     ^
lxc.c:60:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
         char *str = NULL;
         ^
lxc.c: In function ‘Container_get_cgroup_item’:
lxc.c:822:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_config_item’:
lxc.c:861:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_keys’:
lxc.c:903:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
cc1: some warnings being treated as errors
error: command 'gcc' failed with exit status 1
Makefile:472: recipe for target 'all' failed
make[3]: *** [all] Error 1
make[3]: Leaving directory '/home/masami/codes/lxc/src/python-lxc'
Makefile:394: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:338: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:484: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

build env:
distribution: Arch Linux
gcc version 4.9.1 20140903 (prerelease) (GCC)
Signed-off-by: Masami Ichikawa <masami256@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Otherwise the check will return false if securityfs was not mounted
by the container's configuration.  In the past we let that quietly
proceed, but unconfined.  Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>

(Dwight, I took the liberty of adding your Ack but the code did
change a bit to continue passing the char *label from attach.
Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1"
does attach you to the p2 profile)

Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only accidents, not
malice.

The mount restrictions are not available in the upstream kernel.
We can detect their presence through /sys.  In the past, when
we detected it missing, we would not enable apparmor.  But that
prevents apparmor from helping to prevent accidents.

At the same time, if the user accidentaly boots a kernel which
has regressed, we do not want them starting the container thinking
they are more protected than they are.

This patch:

1. adds a lxc.aa_allow_incomplete = 1 container config flag.  If
not set, then any container which is not set to run unconfined
will refuse to run.   If set, then the container will run with
apparmor protection.

2. to pass this flag to the apparmor driver, we pass the container
configuration (lxc_conf) to the lsm_label_set hook.

3. add a testcase.  To test the case were a kernel does not
provide mount restrictions, we mount an empty directory over
the /sys/kernel/security/apparmor/features/mount directory.  In
order to have that not be unmounted in a new namespace, we must
test using unprivileged containers (who cannot remove bind mounts
which hide existing mount contents).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This idea came from Andy Lutomirski.  Instead of using a
temporary directory for the pivot_root put-old, use "." both
for new-root and old-root.  Then fchdir into the old root
temporarily in order to unmount the old-root, and finally
chdir back into our '/'.

Drop lxc.pivotdir from the lxc.container.conf manpage.

Warn when we see a lxc.pivotdir entry (but keep it in the
lxc.conf for now).
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

quiet mode was overriden by the double call of lxc_log_init
see lxc_container_new

use lxc_log_options_no_override in order to fix this
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: William Dauchy <william@gandi.net>

Introduce a new list of controllers just containing "all".

Make the lists of controllers null-terminated.

If the cgmanager api version is high enough, use the 'all' controller
rather than walking all controllers, which should greatly reduce the
amount of dbus overhead.  This will be especially important for
those going through a cgproxy.

Also remove the call to cleanup cgroups when a cgroup existed.  That
usually fails (and failure is ignored) since the to-be-cleaned-up
cgroup is busy, but we shouldn't even be trying.  Note this can
create for extra un-cleanedup cgroups, however it's better than us
accidentally removing a cgroup that someone else had created and was
about to use.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Looks like lxc-checkpoint was missing the log inititalization code, so it never
actually logged anything when the options were provided.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

CRIU 1.3 has a pretty crippling deadlock which will cause dumping containers to
fail fairly often. This is fixed in criu 1.3.1, so we shouldn't run the tests
on anything less than that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

After looking through some logs, it is a little cleaner to do it as
below, instead of what I originally posted.

Tycho

In order for LXC to be the parent of the restored process, CRIU needs to
restore init as its sibling, not as its child. This was previously accomplished
essentially via luck :). CRIU now has a --restore-sibling option which forces
this behavior that LXC expects. See more discussion in this thread:
http://lists.openvz.org/pipermail/criu/2014-September/thread.html#16330

v2: don't pass --restore-sibling to dump. This is mostly cosmetic, but will
    look less confusing in the logs if people ever look at them.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Explain why we insist that root use newuidmap if it is available.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Call tar with --numeric-owner option to use numbers for user/group
names because the whole uid/gid in rootfs should be consistently
unchanged as in original stage3 tarball and private portage.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

We can also narrow the scope of this, since we only need it in the process that
is actually going to use it.
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

If we just return here, we end up with two processes executing the caller's
code, which is not good.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

criu version 1.3 has been tagged, which has the minimal set of patches to allow
checkpointing and restoring containers. lxc-test-checkpoint-restore is now
skipped on any version of criu lower than 1.3.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This option is required when migrating containers across hosts; it is used to
restore inotify via file paths instead of file handles, which aren't preserved
across hosts.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Regardless of whether "installpkg" command exists or not, install the
command temporarily with static linked tar command into the lxc cache
directory to keep the original uid/gid of files/directories.  Also,
use sed command instead of ed command for simplicity.
Signed-off-by: TAMUKI Shoichi <tamuki@linet.gr.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

And add a testcase.

The code to update hwaddrs in a clone was walking through the container
configuration and re-printing all network entries.  However network
entries from an include file which should not be printed out were being
added to the unexpanded config.  With this patch, at clone we simply
update the hwaddr in-place in the unexpanded configuration file, making
sure to make the same update to the expanded network configuration.

The code to update out lxc.hook statements had the same problem.
We also update it in-place in the unexpanded configuration, though
we mirror the logic we use when updating the expanded configuration.
(Perhaps that should be changed, to simplify future updates)

This code isn't particularly easy to review, so testcases are added
to make sure that (1) extra lxc.network entries are not added (or
removed), even if they are present in an included file, (2) lxc.hook
entries are not added, (3) hwaddr entries are updated, and (4)
the lxc.hook entries are properly updated (only when they should be).
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Those aren't supported, it's just a lucky coincidence that they weren't
causing problems.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

When managing containers, I need to take action based on container
exit status. For instance, if it exited abnormally (status!=0), I
sometime want to respawn it automatically. Or, when invoking
`lxc-stop` I want to know if it terminated gracefully (ie on `SIGTERM`)
or on `SIGKILL` after a timeout.

This patch adds a new message type `lxc_msg_exit_code,` to preserve
ABI. It sends the raw status code as returned by `waitpid` so that
listening application may want to apply `WEXITSTATUS` before. This is
what `lxc-monitor` does.
Signed-off-by: Jean-Tiare LE BIGOT <jean-tiare.le-bigot@ovh.net>

To ask cgmanager to chown files as an unpriv user, we must send the
request from the container's namespace (with our own userid also
mapped in).  However when we create a new namespace then we must
open a new dbus connection, so that our credential and the credential
on the dbus socket match.  Otherwise the proxy will refuse the request.

Because we were warning about this failure but not exiting, the failure
was not noticed until the unprivileged container went on to try to
administer its cgroups, i.e. creating a container inside itself.

Fix this by having the do_chown_cgroup create a new cgmanager connection.
In order to reduce the number of connections, since the list of subsystems
is global anyway, don't call do_chown_cgroup once for each controller,
just call it once and have it run over all controllers.

(This patch does not change the fact that we don't fail if the
chown failed.  I think we should change that, but let's do it in a
later patch)
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Update for commit 735f2c6eSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

With the new hashed command socket names (e8589841), it's possible to
have something like below;

[caglar@qop:~/go/src/github.com/lxc/go-lxc(master)] cat /proc/net/unix | grep lxc
0000000000000000: 00000002 00000000 00010000 0001 01 53465 @lxc/d086e835c86f4b8d/command
[...]

list_active_containers reads /proc/net/unix to find all running
containers but this new format no longer includes the container name or
its lxcpath.

This patch introduces two new commands (LXC_CMD_GET_NAME and
LXC_CMD_GET_LXCPATH) and starts to use those in list_active_containers
call.

changes since v1:
 - added sanity check proposed by Serge
Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This patch adds support for checkpointing and restoring containers via CRIU.
It adds two api calls, ->checkpoint and ->restore, which are wrappers around
the CRIU CLI. CRIU has an RPC API, but reasons for preferring exec() are
discussed in [1].

To checkpoint, users specify a directory to dump the container metadata (CRIU
dump files, plus some additional information about veth pairs and which
bridges they are attached to) into this directory. On restore, this
information is read out of the directory, a CRIU command line is constructed,
and CRIU is exec()d. CRIU uses the lxc-restore-net callback (which in turn
inspects the image directory with the NIC data) to properly restore the
network.

This will only work with the current git master of CRIU; anything as of
a152c843 should work. There is a known bug where containers which have been
restored cannot be checkpointed [2].

[1]: http://lists.openvz.org/pipermail/criu/2014-July/015117.html
[2]: http://lists.openvz.org/pipermail/criu/2014-August/015876.html

v2: fixed some problems with the s/int/bool return code form api function
v3: added a testcase, fixed up the man page synopsis
v4: fix a small typo in lxc-test-checkpoint-restore
v5: remove a reference to the old CRIU_PATH, and a bad error about the same
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

distutils can't handle paths to source files containing '..'. It will
try to navigate away from the build directory and fail. To fix that,
before building the python module, transform all the path variables then
cd to the srcdir, and set the build directory manually.

This is hopefully the last needed fix to use separate build and
source diretories.
Signed-off-by: Daniel Miranda <danielkza2@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Now that default.conf is generated/linked during the configuration
phase, it should not longer be removed in the 'clean' stage, or
subsequent builds will fail. Only remove it during 'dist-clean'.
Signed-off-by: Daniel Miranda <danielkza2@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Just setting path isn't enough.  Clear the whole environment, and only set
$PATH.  It's all we need - ovs-vsctl is running fine this way.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Bill Kolokithas <kolokithas.b@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Added check of services in container before start or stop.
Added check of syslog config existence prior changing.
Signed-off-by: Denis Pynkin <dans@altlinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

1. don't determine ovs-vsctl path at configure time, do it at runtime

2. lxc-user-nic: set a sane path to protect from unpriv users
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

If statvfs does not exist, then don't recalculate mount flags
at remount.

If someone does need this, they could replace the code (only
if !HAVE_STATVFS) with code parsing /proc/self/mountinfo (which
exists in the recent git history)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Same problem as we had with mount_entry().  lxc_mount_auto_mounts()
sometimes does bind mount followed by remount to change options.
With recent kernels it must pass any preexisting NODEV/NOSUID/etc
flags.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Use statvfs instead of parsing /proc/self/mountinfo to check for the
flags we need to and into the msbind mount flags.  This will be faster
and the code is cleaner.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Building LXC in a separate target directory, by running configure from
outside the source tree, failed with multiple errors, mostly in the
Python and Lua extensions, due to assuming the source dir and build dir
are the same in a few places. To fix that:

- Pre-process setup.py with the appropriate directories at configure
  time
- Introduce the build dir as an include path in the Lua Makefile
- Link the default container configuration file from the alternatives
  in the configure stage, instead of setting a variable and using it
  in the Makefile
Signed-off-by: Daniel Miranda <danielkza2@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs
and running setuid-root applications to get write access to u1's
container rootfs.

v2: set umask to 002 for the mkdir.  Otherwise if umask happens to be,
say, 022, then user does not have write permissions under the container
dir and creation of $containerdir/partial file will fail.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

When we read a lxc.network.hwaddr line, if it contained any 'x's then
those get quitely filled in at config_network_hwaddr.  If that happens
then we want to save the autogenerated hwaddr in the unexpanded config
so that when we write it to disk, it is saved.

This patch dumbly re-generates the network configuration in the
unexp configuration every time we load a config file, just as we do
after every clone.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>