Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr>

Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr>

Search for Lua if no --enable-lua/--disable-lua specified but continue
without if not found.

If --enable-lua is specified and Lua is not found then return error.

If --disable-lua is specified, then don't search for Lua.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Otherwise containers may be able to remount -o ro their rootfs
at shutdown.
Reported-by: Harald Dunkel <harri@afaics.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

When there is no --enable-lua or --with-lua-pc, Lua should not be
enabled.

This fixes a bug introduced with 12e93188 (configure/makefile:
Allow specify Lua pkg-config file with --with-lua-pc) that caused
configure script to fail if lua headers was missing.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

- remove lxc subdir in cgroup paths (done in commit b98f7d6e)
- remove extraneous debug printfs
- remove extra call to stats_clear
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Instead of popen and run external executable dirname we implement a
dirname in C in the core module.

We also remove the unused basename function.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

So we avoid running os.execute
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Enable support for both Lua 5.1 and 5.2 by letting user specify the Lua
pkg-config package name. By default it will use 'lua' and try figure
out which version it is.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Adjust code for Lua 5.2 and keep compatibility with Lua 5.1.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

The lxc configuration file currently supports 'lxc.cap.drop', a list of
capabilities to be dropped (using the bounding set) from the container.
The problem with this is that over time new capabilities are added.  So
an older container configuration file may, over time, become insecure.

Walter has in the past suggested replacing lxc.cap.drop with
lxc.cap.preserve, which would have the inverse sense - any capabilities
in that set would be kept, any others would be dropped.

Realistically both have the same problem - the sendmail capabilities
bug proved that running code with unexpectedly dropped privilege can be
dangerous.  This patch gives the admin a choice:  You can use either
lxc.cap.keep or lxc.cap.drop, not both.

Both continue to be ignored if a user namespace is in use.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

(Except in cases where we will immediately exit)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We already add harware address for a single veth interface. Do the same
with a single macvlan interface.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

As with other files, update to be LGPL since these are part
of the lxc library.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

We wish to ensure that, henceforth, newer lxc tools are always compatible
with older lxc monitors.  Add a comment to commands.c to explain the
rule we wish to enforce to this end.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Reported-by: Filirom1
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Reported-by: tlc
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Dmitry Shachnev <mitya57@ubuntu.com>
Reported-by: Vincent Ladeuil
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signalfd does not guarantee that we'll get an event for every signal.
So if 3 tasks exit at the same time, we may get only one sigchld
event.  Therefore, in signal_handler(), always check whether init has
exited.  Do with with WNOWAIT so that we can still wait4 to cleanup
the init after lxc_poll() exists (rather than complicating the code).

Note - there is still a race in the kernel which can cause the
container init to become a defunct child of the host init (!).  This
doesn't solve that, but is a potential (if very unlikely) race which
apw pointed out while we were trying to create a reproducer for the
kernel bug.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

otherwise a "$addr/$mask" results in failure.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Normal lxc-start usage tends to be "lxc-start -n name [-P lxcpath]".
This causes $lxcpath/$name/config to be the configuration for the
container.  However, lxc-start is more flexible than that.  You can
specify a custom configuration file, in which case $lxcpath/$name/config
is not used.  You can also (in addition or in place of either of these)
specify configuration entries one-by-one using "-s lxc.utsname=xxx".

To support this using the API, if we are not using
$lxcpath/$name/config then we put ourselves into a custom lxcpath
called (configurable using LXCPATH) /var/lib/lxc_anon.  To stop a
container so created, then, you would use

	lxc-stop -P /var/lib/lxc_anon -n name

TODO: we should walk over the list of &defines by hand and set them
using c->set_config_item.  I haven't done that in this patch.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

prior to my enabling of the clone hook, the setting of the hostname
was being done by writing to /etc/hostname.  Instead of relying on that
we're now writing 'local-hostname' into the metadata for the instance.

cloud-init then reads this and sets the hostname properly.

We are also writing /etc/hostname with the new hostname explicitly.  This is
useful/necessary because on network bringup of eth0, dhclient will submit its
hosname.  The updating done by cloud-init occurs to late, and thus
the dhcp request goes out with the un-configured hostname and dns doens't
work correctly.
Signed-off-by: Scott Moser <smoser@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

These are the last of the simpler conversions.  Start, execute,
kill, info and attach remain to be done.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>