Signed-off-by: Austin Reichert <austinskyreichert@utexas.edu>

lxc-test-unpriv: fix the overlayfs mount error

API: add console ringbuffer extension

This patch fixes the missing workdir issue for the overlayfs mount command in
the lxc-test-unpriv test.

Bug link: https://bugs.launchpad.net/bugs/1730915Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

cgroups/cgfsng: fixes, features, and improved cgroup2 handling

storage: switch to ext4 as default fs

attach: handle namespace inheritance

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

If a console log file was specified this flag indicates whether the contents of
the ringbuffer should be written to the logfile when a request is sent to the
ringbuffer.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

When users request that the container keep a console ringbuffer we will not
continously write to the on-disk logfile as mirroring the contents of the
in-memory ringbuffer on-disk is costly and complicated. Instead, we dump the
ringbuffer contents on-disk when the container stops or fails to start. This
way users can still diagnose problems or retrieve the last contents of the
ringbuffer on-disk.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This makes the whole setup more flexible.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: add LXC_CMD_CONSOLE_LOG

Closes #1870.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We want to be able to SIGKILL an Archlinux container.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This fixes a bunch of bugs.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We don't need to parse fuse.lxcfs entries.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

If we lack CAP_SYS_ADMIN this is really useful.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We need to have lxc_attach() distinguish between a caller specifying specific
namespaces to attach to and a caller not requesting specific namespaces. The
latter is taken by lxc_attach() to mean that all namespaces will be attached.
This also needs to include all inherited namespaces.

Closes #1890.
Closes #1897.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Closes #1899.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Closes #1899.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: only preserve CLONE_NEWCGROUP when supported

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc/start.c: Fix legacy PR_{G,S}ET_NO_NEW_PRIVS handling

The configure checks for these use AC_CHECK_DECLS, which define the symbol
to 0 if not available - So adjust the code to match.  From the autoconf
manual:

https://www.gnu.org/software/autoconf/manual/autoconf-2.65/html_node/Generic-Declarations.html)

For each of the symbols (comma-separated list), define HAVE_DECL_symbol (in
all capitals) to ‘1’ if symbol is declared, otherwise to ‘0’.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

confile: add lxc.namespace.<namespace-key> + add user namespace sharing + rework start logic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

- Implement inheriting user namespaces.
  - When inheriting user namespaces make sure to not try and map ids again. The
    kernel will not allow you to do this.
- Change clone() logic:
  1. If we inherit no namespaces simply call lxc_clone().
  2. If we inherit any namespaces call lxc_fork_attach_clone(). Here's why:
     - Causes one syscall (fork()) instead of two syscalls (setns() to
       inherited namespace and setns() back to parent namespace) to be
       performed.
     - Allows us to get rid of a bunch of variables and helper functions/code.
     - Sharing a user namespaces requires us to setns() to the inherited user
       namespace but the kernel does not allow reattaching to a parent user
       namespace. So the old logic made user namespace inheritance impossible.
       By using the lxc_fork_attach_clone() model we can simply setns() to the
       inherited user namespace in the fork()ed child and be done with it.
       The only thing we need to do is to specify CLONE_PARENT when calling
       clone() in lxc_fork_attach_clone() so that we can wait on the child.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-monitord is deprecated so this is expected to fail.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Brings the number of open fds in the monitor process for a standard container
without ttys down to 17.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This commit also gets rid of ~10 unnecessarily file descriptors that were kept
open. Before we kept open:

- A set of file descriptors that refer to the monitor's namespaces. These were
  only used to reattach to the monitor's namespace in lxc_spawn() and were
  never used anywhere else. So close them and don't keep them around.
- A list of inherited file descriptors.
- A list of file descriptors referring to the containers's namespaces to pass
  to lxc.hook.stop. This list duplicated inherited file descriptors.

Let's simply use a single list in the handler that has all file descriptors we
need and get rid of all other ones. As an illustration. Starting a container

1. Without this patch and looking at the fds that the monitor keeps open (26):

chb@conventiont|~
> ls -al /proc/27219/fd
total 0
dr-x------ 2 root root  0 Oct 29 14:30 .
dr-xr-xr-x 9 root root  0 Oct 29 14:30 ..
lrwx------ 1 root root 64 Oct 29 14:30 0 -> /dev/null
lrwx------ 1 root root 64 Oct 29 14:30 1 -> /dev/null
lrwx------ 1 root root 64 Oct 29 14:30 10 -> anon_inode:[signalfd]
lrwx------ 1 root root 64 Oct 29 14:30 11 -> /dev/ptmx
lrwx------ 1 root root 64 Oct 29 14:30 12 -> /dev/pts/10
lr-x------ 1 root root 64 Oct 29 14:30 13 -> net:[4026532553]
lrwx------ 1 root root 64 Oct 29 14:30 15 -> socket:[7909181]
lrwx------ 1 root root 64 Oct 29 14:30 16 -> socket:[7909182]
lr-x------ 1 root root 64 Oct 29 14:30 17 -> uts:[4026531838]
lr-x------ 1 root root 64 Oct 29 14:30 18 -> ipc:[4026531839]
lr-x------ 1 root root 64 Oct 29 14:30 19 -> net:[4026532009]
lrwx------ 1 root root 64 Oct 29 14:30 2 -> /dev/null
lr-x------ 1 root root 64 Oct 29 14:30 20 -> mnt:[4026532611]
lr-x------ 1 root root 64 Oct 29 14:30 21 -> pid:[4026532612]
lr-x------ 1 root root 64 Oct 29 14:30 22 -> uts:[4026532548]
lr-x------ 1 root root 64 Oct 29 14:30 23 -> ipc:[4026532549]
lr-x------ 1 root root 64 Oct 29 14:30 24 -> net:[4026532553]
l-wx------ 1 root root 64 Oct 29 14:30 3 -> /var/log/lxc/a1.log
lr-x------ 1 root root 64 Oct 29 14:30 4 -> uts:[4026532548]
lr-x------ 1 root root 64 Oct 29 14:30 5 -> ipc:[4026532549]
lr-x------ 1 root root 64 Oct 29 14:30 6 -> net:[4026532553]
lrwx------ 1 root root 64 Oct 29 14:30 7 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Oct 29 14:30 9 -> socket:[7911594]

2. With this patch and looking at the fds that the monitor keeps open (19):

chb@conventiont|~
> ls -al /proc/28465/fd
total 0
dr-x------ 2 root root  0 Oct 29 14:31 .
dr-xr-xr-x 9 root root  0 Oct 29 14:31 ..
lrwx------ 1 root root 64 Oct 29 14:31 0 -> /dev/null
lrwx------ 1 root root 64 Oct 29 14:31 1 -> /dev/null
lr-x------ 1 root root 64 Oct 29 14:31 10 -> net:[4026532820]
lrwx------ 1 root root 64 Oct 29 14:31 12 -> socket:[7912349]
lrwx------ 1 root root 64 Oct 29 14:31 13 -> socket:[7912350]
lr-x------ 1 root root 64 Oct 29 14:31 14 -> mnt:[4026532611]
lr-x------ 1 root root 64 Oct 29 14:31 15 -> pid:[4026532813]
lr-x------ 1 root root 64 Oct 29 14:31 16 -> uts:[4026532612]
lr-x------ 1 root root 64 Oct 29 14:31 17 -> ipc:[4026532613]
lr-x------ 1 root root 64 Oct 29 14:31 18 -> net:[4026532820]
lrwx------ 1 root root 64 Oct 29 14:31 2 -> /dev/null
l-wx------ 1 root root 64 Oct 29 14:31 3 -> /var/log/lxc/a1.log
lrwx------ 1 root root 64 Oct 29 14:31 4 -> anon_inode:[signalfd]
lrwx------ 1 root root 64 Oct 29 14:31 5 -> /dev/ptmx
lrwx------ 1 root root 64 Oct 29 14:31 6 -> /dev/pts/10
lrwx------ 1 root root 64 Oct 29 14:31 7 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Oct 29 14:31 9 -> socket:[7913041]

Relates to #1881.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

There's no obvious need to strdup() the name of the container in the handler.
We can simply make this a pointer to the memory allocated in
lxc_container_new().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>