conf: use bind-mount for /dev/ptmx

AppArmor will refuse on /dev/ptmx being a symlink.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

autotools: check for cap_get_file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

caps: skip file capability checks on android

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach|unshare: fix the wrong comment

Signed-off-by: 0x0916 <w@laoqinren.net>

fix typo introduced in #1509

Signed-off-by: Evgeni Golov <evgeni@debian.org>

idmap improvements

ls: simplify the judgment condition when list active containers

Signed-off-by: 0x0916 <w@laoqinren.net>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The new{g,u}idmap binaries where a source of trouble for users when they lacked
sufficient privileges. This commit adds code to check for sufficient privilege.
It checks whether new{g,u}idmap is root owned and has the setuid bit set and if
it doesn't it checks whether new{g,u}idmap is root owned and has CAP_SETUID in
its CAP_PERMITTED and CAP_EFFECTIVE set.

Closes #296.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Add two new helpers that allow to determine whether a given proc or file has a
capability in the given set and move lxc_cap_is_set() to static function that
both call internally.

Closes #296.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

android: add prlimit implementation for 32bit

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix error handling when limits fail to apply

(The code was moved here from the child side of the startup
without adapting the error case.)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Resource Limits

These functions define pointer to their key shifted by a
number and guard access to it later via another variable.
Let's make this more explicit (and additionally have the
pointer be NULL in the case where it is not supposed to be
used).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

This adds lxc.limit.<name> options consisting of one or two
colon separated numerical values (soft and optional hard
limit). If only one number is specified it'll be used for
both soft and hard limit. Additionally the word 'unlimited'
can be used instead of numbers.

Eg.
  lxc.limit.nofile = 30000:32768
  lxc.limit.stack = unlimited
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

remove obsolete note about api stability

Signed-off-by: Jakob Gillich <jakob@gillich.me>

make Alpine template more POSIX shell friendly #1498

Signed-off-by: Vincent Catros <vincent.catros@laposte.net>

Increased buffer length in print_stats()

Avoid waiting for bridge interface on bootup

Some "/sys" entries exceeds buffer size.
This results to some statistics loss ('BlkIO' in particular):

 wc -c /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
 318 /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
Signed-off-by: Denis Pynkin <dans@altlinux.org>

Signed-off-by: Torsten Fohrer <tfohrer@googlemail.com>

tools: exit with return code of lxc_execute()

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Keep veth.pair.name on network shutdown

In case of a container that is rebooting, freeing veth.pair.name here results in losing given veth.pair name
(Only if given lxc_netdev is reused).
Signed-off-by: Torsten Fohrer <tfohrer@googlemail.com>