Update the description of pty allocation. Update for commit 478dda76.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

start: setsid in init task as well

If we don't do this, we'll leak the parent's session id to the container,
which maybe doesn't matter, but it still seems better to set it anyway.

Also, it breaks CRIU for containers that don't call setsid themselves.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

lxc-attach: rework pty allocation

cgfs: make sure we use valid cgroup mountpoints

If lxcfs starts before cgroup-lite, then the first cgroup mountpoints in
/proc/self/mountinfo are /run/lxcfs/*.  Unprivileged users cannot access
these.  So privileged containers are ok, and unprivileged containers are ok
since they won't cache those to begin with.  But unprivileged root-owned
containers cache /run/lxcfs/* and then try to use them.

So when doing cgroup automounting check whether the mountpoints we have
stored are accessible, and if not look for a new one to use.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Previously we implemented two ways to get a pty for lxc-attach:
	1. get a pty in the container
	2. get a pty on the host

Where 1. was the default and 2. was only tried after 1. failed.
For safety and simplicity reasons, we remove 1. and just keep 2. around.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Update Japanese man

- Add the description that automount is ignored when cgroup namespaces
  are supported. Update for commit 4608594e.
- Unify terminology of translation
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

describe that lxc-clone and lxc-start-ephemeral have been deprecated
in those man pages.
Update for commit 2ae6732f.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfs: do not automount if cgroup namespaces are supported

In that case containers will be able to mount cgroup filesystems
for themselves as they do on a host.

This fixes inability to start systemd based containers on cgns-enabled
kernels with cgmanager not running.

I've tested debian jessie, busybox, ubuntu trusty and xenial, all of
which booted ok.  However if there are some setups which require
premounted cgroupfs (i.e. they don't mount if they detect being in
a container), this may cause trouble.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

configure.ac: add --enable-deprecated flag

- lxc-clone and lxc-start-ephemeral are marked deprecated. We add a
  --enable-deprecated flag to configure.ac allowing us to enable these
  deprecated executables
- update tests to use lxc-copy instead of lxc-clone
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

- add deprecation not to man pages
- print deprecation info to stderr when the executables are invoked
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Update Japanese man

Update for commit 02e5d92bSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update for commit e986ea3dSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

update manpages

- add note to lxc-clone manpage that it is superseded by lxc-copy
- add note to lxc-start-ephemeral manpage that it is superseded by lxc-copy
- fix typo in lxc-attach manpage
- fix some of my comments in lxc_ls.c
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

update lxc-attach manpage

- explain rationale behind allocation of pty
- briefly explain how a pty is allocated
- add a short note that describes the changed behavior for lxc-attach when the
  user is not placed in a writeable cgroup at login
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-attach: add comment, & implement login_tty()

- The code required to prepare an fd to act as a login tty is shared among
  pty_on_host_callback() and fork_pty(). This implements login_pty(), a
  minimalistic login_tty() clone, to avoid code redundancy.
- Give pty_in_container() a slightly extended comment.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

doc: Add Japanese description of cgns apparmor profile in lxc.container.conf(5)

Update for commit 7a126ae1Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

2016 02 21/cgns.aa

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Also document 'unchanged' which we had never documented before.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Because containers need to - and safely can - mount cgroufs in that
case.

Note that if cgns is enabled but the unshare fails, we fail the container
start, so checking whether they are enabled is enough.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

This isn't safe for privileged containers which do not use cgroup
namespaces, but is required for systemd containers with cgroup
namespaces.  So create a new profile for it which lxc will use as
the default when it knows it can.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

fix android build

bionic libc doesn't know _Exit(). Replace it with _exit().
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

make lxc-attach use a pty

So far lxc-attach did not use a pty when attaching to a container. This made it
vulnerable to tty input faking via TIOCSTI when switching to a different user.
This patch makes lxc-attach use a pty in most cases. The only current exemption
is when stdin, stdout, and stderr are not referring to a pty.

There are two ways how lxc-attach can receive a pty:
	1. get a pty in the container
	2. get a pty on the host
This patch makes 1. the default and only opts for 2. when 1. fails before
giving up. The rationale behind this is as follows: If we create a pty on the
host (2.) and pass the fds to the container the container may report "no tty"
when the "tty" command is used. This could be irritating for users when they
expect that lxc-attach now always tries to use a pty. Hence, option 1. is the
default.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

lxc_console_cb_tty_masterfd() unnecessarily reported a read/write error when
the fd was closed. This happens e.g. when we have allocated a tty in the
container with lxc-console and we shut the container down. lxc-console will
then exit with an error message. This patch introduces a test whether the
EPOLLHUP bit is set in the events mask. If so, we report no error.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Make lxc_console_set_stdfds useable by other callers that do not have access to
lxc_handler.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>