The 3.8 kernel now supporst uid mappings, so I believe it's appropriate
to proceed with this patchset.
The container config supports new entries of the form:
 lxc.id_map = U 100000 0 10000
 lxc.id_map = G 100000 0 10000
meaning map 'virtual' uids (in the container) 0-10000 to uids
100000-110000 on the host, and same for gids.  So long as there are
mappings specified in the container config, then CONFIG_NEWUSER will
be used when the container is cloned.  This means that container
setup is no longer done with root privilege on the host, only root
privilege in the container.  Therefore cgroup setup is moved from the
init task to the monitor task.

To use this patchset, you currently need to either use the raring
kernel at ppa:serge-hallyn/usern-natty, or build your own kernel
from either git://kernel.ubuntu.com/serge/quantal-userns.git.
(Alternatively you can use Eric's tree at the latest userns-always-map-*
branch at
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
but you will likely want to at least enable tmpfs mounts in user namespaces)

You also need to chown the files in the container rootfs into the
mapped range.  There is a utility at
https://code.launchpad.net/~serge-hallyn/+junk/nsexec to do this.
uidmapshift does the chowning, while the container-userns-convert
script nicely wraps that program.  So I simply

	sudo lxc-create -t ubuntu -n r1
	sudo container-userns-convert r1 200000

will create a container which is shifted so uid 0 in the container
is uid 200000 on the host.

TODO: when doing setuid(0), need to only do that if 0 is one of the
ids we map to.  Similarly, when dropping capabilities, need to only
not do that if 0 is one of the ids we map to.  However, the question
of what to do for 'weird' containers in private user namespaces is
one I'm punting for later.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This is a first step to enabling user namespaces.  When starting a
container in a new user namespace, the child will not have the
rights to write to the cgroup fs.  (We can give it that right, but
don't always want to have to).

At the parent, we don't want to setup_cgroups() before the child
has set itself up.  But we also don't want to wait until it has
started running it's init, since that is racy.

Therefore introduce a new sync point.  The child will let the
parent know when it is ready to be confined, and wait for the
parent to respond that it has done so.  Then the child will finish
constraining itself with LSM and seccomp and execute init.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Always unblock parent when child setup fails, rather than just
exiting.

Also remove a duplicate call to setup_cgroup().  We'll want it
close to there for userns, but not right there - that's too late,
and could happen after container init has done something bad
without cgroup restrictions.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Make sure that when configuring containers that have interfaces containing
multiple IP addresses they are added in the order of the configuration file
(i.e. the first being the primary one) and not the reverse order.
Signed-off-by: Christian Seiler <christian@iwakd.de>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Ok...  Here's the patch again.  Since Serge is removing the loglevel
structure member, this patch no longer references that element.

From the original description:

1) Removes run_makedev() and the call to it from conf.c per discussion.

2) Adds an lxc.hook.autodev hook.

Note: This hook is very close (one routine level abstracted) from where
the run_makedev was called.  Anyone really rrreeeaaalllyyy needing
MAKEDEV can add it in with a small shim script to do whatever they want
under whatever distro they're using, so no functionality is lost there.

3) Added a number of environment variables for all the hook scripts to
reference to assist in execution.  Things like LXC_ROOTFS_MOUNT could be
very useful but others were added as well.  Room for more if anyone has
an itch.  All in one spot in lxc_start.c.

4) clearenv and putenv( "container=lxc" ) calls were moved to just after
the "start" hook in the container just prior to actually firing up the
container so we could use environment variables prior to that and have
them flushed them before firing up init.  Nice side effect is that you
can define environment variables and then call lxc-start and have them
show up in those hooks scripts.

5) I actually DID update the man page for lxc.conf!  I guess I lied when
I said I wouldn't get that done.

[... and ...]

I added the rcfile to the lxc_conf structure as suggested and moved the
setenv bundle from lxc-start.c over to start.c just prior to calling
run_lxc_hooks for the pre-start hook.
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

The options are still supported in the lxc configuration file.
However they are stored only in local variables in src/lxc/log.c,
which can be read using two new functions:
	int lxc_log_get_level(void);
	const char *lxc_log_get_file(void);

Changelog: jan 14:
 have lxc_log_init use lxc_log_set_file(), have lxc_log_set_file() take
 a const char *, and have it keep its own strdup'd copy of the filename.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

In a previous change I added an ifdef for HAVE_SYS_TIMERFD_h
rather than HAVE_SYS_TIMERFD_H, leading to a missing include of
sys/timerfd.h on platforms that support it and ultimately to a build
failure.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

The previous implementation of the openpty check was always returning
'no' as openpty is typically defined in util.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

This adds a local implementation of the bits we need form timerfd.h and
utmpx.h so that the LXC utmp watch can be used with libc that don't implement
the same functions as eglibc.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This avoids conflict with the system header utmp.h.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

The Python.h header varies in location by distribution, so instead use
pkg-config to ensure the python3 devel package is installed. Tested with
Ubuntu 12.04 and Fedora 17. Fixes --enable-python on Fedora 17.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

This option allows user to control installation repository and options
using alternative pacman configuration file.
Also remove unnecessary sed invocation during container configuration.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Following a comment on the mailing-list, I made utmp.h return -1
when it's disabled, the problem with that is that it prevents the
container from starting completely, which isn't quite what I wanted.

This change makes the function succeed, the container will therefore
start but without utmp handler.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

PR_CAPBSET_READ isn't defined in bionic, so define it if it's not.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

OL6 uses upstart init and needs a handler for the SIGPWR that
lxc-shutdown sends it so that a container can shut down cleanly.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

processing of -w or -r shifts an argument that isn't there, messing up
other argument processing
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

There's no good reason to call setup_mount_entries if we don't have any
lxc.mount.entry. This also avoids an issue on bionic where the tmpfile()
call in setup_mount_entries requires the presence of /tmp which isn't the
case by default.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

-lpthread doesn't exist and isn't necessary on bionic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Bionic and maybe some other libc implementations lack the _r nss functions.
This replaces our current getpwnam_r and getpwuid_r calls by getpwnam and
getpwuid.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

__S_ISTYPE doesn't exist in all C libraries, so define it if it's missing.
Additionaly, replace one occurence where it wasn't actually needed.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Bionic (at least) is missing some of the usual mntent functions.
This adds code defining those that we need when they're missing from the C
library.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

At least bionic defines __errno, so this was causing a conflict in caps.h
leading to build failure. Renaming to ___errno avoids that conflicting
definition.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

strdupa appears to only exist in the standard glibc but at least not in bionic.
Replace the two strdupa calls we have by a standard strdup.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

alphasort doesn't have the right signature on bionic which causes the build to
fail. This implements a new bionic_alphasort function when building on bionic
providing the right signature and a functional equivalent of glibc's alphasort.

This signature problem with alphasort was fixed in upstream bionic but hasn't
been released yet. This commit can therefore be reverted as soon as the
following commit hits the Android NDK: 40e467ec668b59be25491bd44bf348a884d6a68d
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This adds code detecting the presence of utmpx.h and in its absence, turns the
utmp related functions into no-ops.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Some libc implementation (bionic) is lacking some of the syscall functions
that are present in the glibc.

For those, detect at build time the they are missing and implement a minimal
syscall() wrapper that will essentially give the same result as the glibc
function.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Some platforms don't have personality.h in their C library, this change
adds buildtime detection for the header and turns off the personality setting
code in those cases.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

In the effort to make LXC work with non-standard Linux distros, this change
allows for the user to build LXC without capability support through a new
--disable-capabilities option to configure.

This effectively will cause LXC not to link against libcap and will turn all
the _cap_ functions into no-ops.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

bionic is missing an openpty() function, so ship our own and only
build it and use it on bionic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

The clone() call in bionic is very slightly different.
This updates namespace.h to support both glibc and bionic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

LO_FLAGS_AUTOCLEAR isn't defined on bionic, so add an extra ifndef
and set it to its usual value if it's not.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

While cross-building with bionic, a number of failures were triggered by some
missing includes and in a few cases by extra unused includes.

This commit updates the various headers based on those observations.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

get_current_dir_name appears to be specific to glibc. Replace that call
by an equivalent getcwd call.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

When building on bionic, -lrt and -lutil only cause a build failure.
Dropping those fixes the build, so it appears that the symbols are defined
in the main library.

This commit moves -lrt and -lutil under a !IS_BIONIC check.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Some libc implementations don't have the getline function but instead
have an equivalent fgetln function.

Add code to detect both and use whatever is available.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

ushort appears to be a glibc specific type which doesn't exist in
bionic, this commit simply replace all occurences by the equivalent
unsigned short type.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

This commit doesn't do any functional change to configure.ac but does a fair
amount of cleaning up.

It re-orders the various blocks by type (options, checks, expands, ...).
It also consistently uses tabs for indents.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>