hooks: change the semantic of NVIDIA_VISIBLE_DEVICES=""

With LXC, you can override the value of an environment variable to
null, but you can't unset an existing variable.

The NVIDIA hook was previously activated when NVIDIA_VISIBLE_DEVICES
was set to null. As a result, it was not possible to disable the hook
by overriding the environment variable in the configuration.

The hook can now be disabled by setting NVIDIA_VISIBLE_DEVICES to
null or to the new special value "void".
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

debian: We must use iproute on wheezy

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lsm: do not #ifdefine

Since we stopped linking against AppArmor we can now remove the conditional
compilation.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: make "-n" optional

confile_legacy: fix legacy network parser

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm: simplifcations

This lets users use the tools with "lxc-* -n <container-name>" or
"lxc-* <container-name>".
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp.c: Use return instead of attribution and return

Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>

debian: Use iproute2 instead of iproute

The package has pretty much always been iproute2 with iproute being an
alias for it, the alias is now gone so we need to use iproute2.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Unpriv fixups

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Consider the case where we're running in a user namespace but in the host's
mount ns with the host's filesystem (something like
lxc-usernsexec ... lxc-execute ...), in this case, we'll be euid 0, but we
can't actually write to /run. Let's improve this locking check to make sure
we can actually write to /run before we decide to actually use it as our
locking dir.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

[cgfsng] show wrong errno

lxc_cgroup_set_data: h = get_hierarchy(controller);
if h is NULL, now errno is old, it donot set new one.
And then,
cgfsng_setup_limits:

    if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
		if (do_devices && (errno == EACCES ||
			errno == EPERM)) {
			WARN("Error setting %s to %s for %s",
				cg->subsystem, cg->value,
				d->name);
			continue;
		}
		SYSERROR("Error setting %s to %s for
			 %s",
			 cg->subsystem, cg->value,
			 d->name);
		goto out;
	}

SYSERROR will show old errno, make me confused.
Signed-off-by: duguhaotian <duguhaotian@gmail.com>

bugfixes

network.c: Remove ip_forward_set and callers

The last user of ip_forward_set, lxc_ip_forward_on and
lxc_ip_forward_off was in 2009:

commit 92d38522
Author: Daniel Lezcano <dlezcano@fr.ibm.com>
Date:   Thu Oct 22 15:33:40 2009 +0200

    remove test directory

These functions are not called anymore.
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>

Since we write the label directly without going through the AppArmor API it
doesn't make sense to link against it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We can simply write the label ourselves. There's no magic happening.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Create console when the rootfs is NULL

Add check whether handler->conf->console.path is 'none'
Signed-off-by: LiFeng <lifeng68@huawei.com>

Modify .gitignore

Add:
src/tests/lxc-test-api-reboot
src/tests/lxc-test-criu-check-feature
src/tests/lxc-test-raw-clone
src/tests/lxc-test-share-ns
src/tests/lxc-test-state-server
Signed-off-by: LiFeng <lifeng68@huawei.com>

doc: Update Japanese lxc-attach(1) and lxc.container.conf(5)

* Update for commit ba2be1a8 (attach: move pty allocation into api)
* Update for commit 5757588f (manpage: correct lxc.log.file conf option)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

remove logically dead code
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

do not call close on bad fd
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>