Some "/sys" entries exceeds buffer size.
This results to some statistics loss ('BlkIO' in particular):

 wc -c /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
 318 /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
Signed-off-by: Denis Pynkin <dans@altlinux.org>

Signed-off-by: Torsten Fohrer <tfohrer@googlemail.com>

Signed-off-by: Serge Hallyn <serge@hallyn.com>

In case of a container that is rebooting, freeing veth.pair.name here results in losing given veth.pair name
(Only if given lxc_netdev is reused).
Signed-off-by: Torsten Fohrer <tfohrer@googlemail.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

[stable-2.0] default password cleanup

Refs: #1158
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Signed-off-by: Evgeni Golov <evgeni@debian.org>

closes #302
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Fixing the typo making `suggest_default_idmap` open `subuidfile`
instead of `subgidfile` to read subgid information.
Signed-off-by: Pochang Chen <johnchen902@gmail.com>

We waste a lot of time waiting for Ubuntu containers to cleanly stop
right before we destroy them anyway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf.c: In function 'lxc_assign_network':
conf.c:3096:25: error: '%lu' directive output may be truncated writing between 1 and 20 bytes into a region of size 19 [-Werror=format-truncation=]
   snprintf(pidstr, 19, "%lu", (unsigned long) pid);
                         ^~~
conf.c:3096:24: note: using the range [1, 18446744073709551615] for directive argument
   snprintf(pidstr, 19, "%lu", (unsigned long) pid);
                        ^~~~~
In file included from /usr/include/stdio.h:938:0,
                 from conf.c:35:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 2 and 21 bytes into a destination of size 19
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
confile.c: In function 'network_new_hwaddrs':
confile.c:2889:38: error: '%02x' directive output may be truncated writing between 2 and 8 bytes into a region of size 6 [-Werror=format-truncation=]
  snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
                                      ^~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
  snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x",
                       ^~~~~~~~~~~~~~~~~~~~~~~~~
confile.c:2889:23: note: using the range [0, 4294967295] for directive argument
In file included from /usr/include/stdio.h:938:0,
                 from confile.c:24:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output between 18 and 36 bytes into a destination of size 18
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Not sure whether the latter is really a problem. We might need an additional
fix later on.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Checks if DOWNLOAD_KEYSERVER has already been set in the environment before setting a value
Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Closes #1466
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: otofune <otofune@gmail.com>

- already found /etc/localtime
- duplicate creation /etc/resolv.conf
Signed-off-by: otofune <otofune@gmail.com>

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Some mirrors from the mirrors list are not very reliable and it seems
that no one really wants to use some random mirror as the default
option.
Signed-off-by: Jakub Jirutka <jakub@jirutka.cz>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Harald Dunkel <harald.dunkel@aixigo.de>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80
Signed-off-by: Serge Hallyn <serge@hallyn.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The conversion algorithm used uses a clever trick by letting a year start at 1
March. So we need to add 1 for January and February.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Evgeni Golov <evgeni@debian.org>

Previously this hook did not work when cloning containers using an overlayfs snapshot as the LXC_ROOTFS_PATH didn't point to the actual filesystem that the container would see. LXC_ROOTFS_MOUNT should be used instead and in fact lxc.container.conf man page says that you usually would want to use the _MOUNT variant.
Signed-off-by: Matt Keeler <mjkeeler7@gmail.com>

This allows us to run LXC containers from within docker
Signed-off-by: McCabe, Robert J <Robert.McCabe@rockwellcollins.com>

The rest of the mounts can be restored normally.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Currently it is impossible to build lxc with --disable-capabilities if
the user has libcap-dev installed on his system as:
 - calls to cap_xxx functions are not protected by HAVE_LIBCAP defines.
 The whole file is only protected by HAVE_SYS_CAPABILITY_H.
 - AC_CHECK_LIB default action-if-found is overriden by [true] so
 HAVE_LIBCAP is never written to config.h

This patch replaces all HAVE_SYS_CAPABILITY_H checks by HAVE_LIBCAP
checks (fix #1361)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Without this patch, x32 guests (and no others) worked "natively" with x32
host lxc, but not on regular amd64 hosts.  That was especially problematic
as a number of ioctls such as those needed by netfilter don't work in such
scenarios, thus you want to run amd64 on the host.

With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts.

Despite x32 being little used, there's no reason to deny it by default:
the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on
Debian) boot with syscall.x32=y.  If they've done so, it is a reasonable
assumption they want x32 guests.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>

I found that even though the service lxc-net failed to start because I made some wrong configuration
settings the command exists zero.
So systemd reports the status of the service as good even though it failed:

    # service lxc-net status
    ● lxc-net.service - LXC network bridge setup
       Loaded: loaded (/lib/systemd/system/lxc-net.service; enabled)
       Active: active (exited) since Wed 2017-02-08 08:17:32 EST; 21min ago
      Process: 529 ExecStart=/usr/lib/x86_64-linux-gnu/lxc/lxc-net start (code=exited, status=0/SUCCESS)
     Main PID: 529 (code=exited, status=0/SUCCESS)
       CGroup: /system.slice/lxc-net.service

    Feb 08 08:17:30 dvm2 systemd[1]: Starting LXC network bridge setup...
    Feb 08 08:17:32 dvm2 lxc-net[529]: dnsmasq: failed to create listening socket for 10.2.2.1: Address already in use
    Feb 08 08:17:32 dvm2 lxc-net[529]: Failed to setup lxc-net.
    Feb 08 08:17:32 dvm2 systemd[1]: Started LXC network bridge setup.

Adding `exit 1` here makes it exit non-zero to make systemd recognize the failure.
Signed-off-by: Carsten Brandt <mail@cebe.cc>