Some tools require /sys/devices/virtual/net to be read-write. At the
same time we want all other parts of /sys to be read-only. To do this we
created a layout where we hade a read-only instance of sysfs mounted on
top of a read-write instance of sysfs:

`-/sys                                  sysfs                                                        sysfs      rw,nosuid,nodev,noexec,relatime
  `-/sys                                sysfs                                                        sysfs      ro,nosuid,nodev,noexec,relatime
    |-/sys/devices/virtual/net          sysfs                                                        sysfs      rw,relatime
    | `-/sys/devices/virtual/net        sysfs[/devices/virtual/net]                                  sysfs      rw,nosuid,nodev,noexec,relatime

This causes issues for systemd services that create a separate mount
namespace as they get confused to what mount options need to be
respected.

Simplify our mounting logic so we end up with a single read-only mount
of sysfs on /sys and a read-write bind-mount of /sys/devices/virtual/net:

├─/sys                                sysfs                                                                                  sysfs         ro,nosuid,nodev,noexec,relatime
│ ├─/sys/devices/virtual/net          sysfs[/devices/virtual/net]                                                            sysfs         rw,nosuid,nodev,noexec,relatime

Link: systemd/systemd#20032
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>

lxc_container_init() creates the container payload process as it's child
so lxc_container_init() itself never really exits and thus the parent
isn't notified about the child exec'ing since the sync file descriptor
is never closed. Make sure it's closed to notify the parent about the
child's exec.

In addition we're currently leaking all file descriptors associated with
the handler into the stub init. Make sure that all file descriptors
other than stderr are closed.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We can let the child finish calling exec before continuing in the
parent.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Instead of having a statically linked init that we put on the host fs
somewhere via packaging, have to either bind mount in or detect fexecve()
functionality, let's just call it as a library function. This way we don't
have to do any of that.

This also fixes up a bunch of conditions from:

if (quiet)
    fprintf(stderr, "log message");

to

if (!quiet)
    fprintf(stderr, "log message");

:)

and it drops all the code for fexecve() detection and bind mounting our
init in, since we no longer need any of that.

A couple other thoughts:

* I left the lxc-init binary in since we ship it, so someone could be using
  it outside of the internal uses.
* There are lots of unused arguments to lxc-init (including presumably
  --quiet, since nobody noticed the above); those may be part of the API
  though and so we don't want to drop them.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, memory allocated for that item
should be freed, successive items should be left-shifted and the array
realloc()ed again (size-1).

Additional changes:
- If strdup() fails in add_to_array(), then an array should be
  realloc()ed again to original size.
- Initialize an array in list_all_containers().
Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

Fixes: #3881
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

When an item is added to an array, then the array is realloc()ed (to size+1),
and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, allocated memory pointed by
the item (not the item itself) should be freed, successive items should
be left-shifted and the array realloc()ed again (size-1).

Additional changes:
- Initialize an array in list_all_containers().
Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

and the item is copied (strdup()) to the array.
Thus, when an item is removed from an array, memory allocated for that item
should be freed, successive items should be left-shifted and the array
realloc()ed again (size-1).

Additional changes:
- If strdup() fails in add_to_array(), then an array should be
  realloc()ed again to original size.
- Initialize an array in list_all_containers().
Signed-off-by: Tomasz Blaszczak <tomasz.blaszczak@consult.red>

Fixes: #3703
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The LISTEN_FDS environment variable defines the number of
file descriptors that should be inherited by the container,
in addition to stdio.
The LISTEN_FDS environment variable is defined in the OCI spec
and used to support socket activation.

Refs #3845
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The function lxc_string_split_quoted and lxc_string_split_and_trim use
realloc to reduce the memory. But the result may be NULL, the the
returned memory will be uninitialized
Signed-off-by: LiFeng <lifeng68@huawei.com>

This is needed for lxcri.

Fixes: #3862
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This indicates that LXC supports idmapping the rootfs and
idmapped lxc.mount.entry entries.

Link: https://github.com/lxc/lxd/issues/8870Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Don't include skipped containers in the failed count.

Fixes: #3857
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Link: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1931064Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: #3853
Suggested-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Closes #3093
Closes #3602

Add support for nftables firewall rules if `nft` command line
interface is available in the system
Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>

Some users report that compilation fails because of reports that this
variable can be used uninitialized. Initialize it to silence the
compiler.

Fixes: https://github.com/lxc/lxc/issues/3850Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1484906
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Make sure we catch any weird behavior.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Wei Mingzhi <weimingzhi@baidu.com>