Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

The permission to make a mount "slave" is spelt "make-slave", not "slave", see
https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not
just the root dir.

https://launchpad.net/bugs/1350947

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.

Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Alpine Linux provides yaml files with latest release instead of the old
approach with .latest.txt.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

fedora-release has been split into fedora-release and fedora-repos.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This is to prevent systemd-journald to enter a 100% cpu loop.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

big big login delays in CentOS 7 systemd

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem.  This patch adds a seccomp rule to
block umount -f from a container.  It also adds that rule
to the default seccomp profile.

Thanks stgraber for the idea :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-opensuse: Disable building openSUSE containers on 13.2/Tumbleweed only if wrong version of build package is installed
Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Veres Lajos <vlajos@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

There are now two (permitted) ways to add data to netlink message:

 1. put_xxx()
 2. call nlmsg_reserve() to get a pointer to newly reserved room within the
    original netlink message, then write or memcpy data to that area.

Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.

And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

The previous error message made it look like the host interface name was
the concatenation of both the host and guest interface names.

Closes #374
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

This commit fixes two issues at the time of clone:
* unnecessary directory is created when clone between overlayfs/aufs
* clone failed when the end of rootfs path is not "/rootfs"
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This patch creates workdir as "olwork", and retry mount with workdir
option when mount is failed.
It is used to prepare files before atomically swithing with
destination, and needs to be on the same filesystem as upperdir. It's
OK for it to be empty.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Currently when we clone a container, bdev_copy passes NULL as dst argument
of bdev_init, then sees bdev->dest (as a result) is NULL, and sets
bdev->dest to $lxcpath/$name/rootfs.  so $ops->clone_paths() can
assume that "/rootfs" is at the end of the path.  The overlayfs and
aufs clonepaths do assume that and index to endofstring-6 and append
delta0.  Let's be more robust by actually finding the last / in
the path.

Then, instead of always setting oldbdev->dest to $lxcpath/$name/rootfs,
set it to oldbdev->src.  Else dir_clonepaths fails when mounting src
onto dest bc dest does not exist.  We could also fix that by creating
bdev->dest if needed, but that addes an empty directory to the old
container.

This fixes 'lxc-clone -o x1 -n x2' if x1 has lxc.rootfs = /var/lib/lxc/x1/x
and makes the overlayfs and aufs paths less fragile should something else
change.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Ran into this when trying to automate stgraber's "GUI in containers"
post.
Signed-off-by: Casey Marshall <casey.marshall@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Containers with systemd need a somewhat special setup, which I borrowed
and adapted from lxc-fedora. These changes are required so that Debian 8
(jessie) containers work properly, and are a no-op for previous Debian
versions.
Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Fix a typo in the lines inserted in the default sources.list.
Change the default mirror to http.debian.net which is (supposedly) more
accurate and better than cdn.debian.net for a generic configuration.
Use security.debian.org directly for the {release}/updates repository.
Signed-off-by: Gu1 <gu1@aeroxteam.fr>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>