Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Fix doc build warnings

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Couple of apparmor tweaks

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

2016 02 15/lognull

Otherwise after a shortcut on error we could end up trying to write
to the closed log fd.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

fname cannot be passed in as NULL by any of its current callers.  If it
could, then build_dir() would crash as it doesn't check for it.  So make
sure we are warned if in the future we pass in NULL.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-destroy: deal with ephemeral containers

- Ephemeral containers are destroyed on shutdown so we do not destroy them.
- Destroy ephemeral containers with clones: first destroy all the clones, then
  destroy the container.
- Ephemeral containers with snapshots cannot be easily handled but we can
  probably trust that no one will try to make snapshots of an ephemeral
  container.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

silence lxc-copy as well when asked

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

lxc_destroy: be quiet if asked

As per https://bugs.launchpad.net/bugs/1543016.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

apparmor: don't fail if current aa label is given

Ideally a container configuration will specify 'unchanged' if
it wants the container to use the current (parent) profile.  But
lxd passes its current label.  Support that too.

Note that if/when stackable profiles exist, this behavior may
or may not be what we want.  But the code to deal with aa
stacking will need some changes anyway so this is ok.

With this patch, I can create nested containers inside a
lxd xenial container both using

lxc launch x2

and unprivileged

lxc-start -n x2
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

fix typo

Signed-off-by: benaryorg <binary@benary.org>

allow overlay lxc.mount.entry with no rootfs

Allow lxc.mount.entry entries for containers without a rootfs.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Comment the lxc_rootfs structure

Comment rootfs.path and rootfs.mount so people can better figure
out which to use.

Remove the unused pivotdir argument from setup_rootfs_pivot_root().
Remove the unused pivot member of the lxc_rootfs struct.  And just
return 0 (success) when someone passes a lxc.pivotdir entry.  One
day we'll turn that into an error, but not yet...
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-checkconfig: warn about fuse as well

Since we need fuse to run lxcfs, which is required by systemd, let's warn
about that as well.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

no rootfs => mounts always relative to host's /

All lxc.mount.entry entries will be relative to the hosts / when a container
does not specify a lxc.rootfs.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

move and rename mount_entry_create_aufs_dirs()

- The function mount_entry_create_aufs_dirs() moves from conf.c to
  lxcaufs.{c,h} where it belongs.
- In accordance with the "aufs_" prefix naming scheme for functions associated
  with lxcaufs.{c,h} mount_entry_create_aufs_dirs() becomes aufs_mkdir().
- Add aufs_get_rootfs() which returns the rootfs for an aufs lxc.rootfs.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Fix mount_entry_on_generic()

In mount_entry_on_generic() we dereferenced a NULL pointer whenever a container
without a rootfs was created. (Since mount_entry_on_systemfs() passes them with
NULL.) We have mount_entry_on_generic() check whether rootfs != NULL.

We also check whether rootfs != NULL in the functions ovl_mkdir() and
mount_entry_create_aufs_dirs() and bail immediately. Rationale: For overlay and
aufs lxc.mount.entry entries users give us absolute paths to e.g. workdir and
upperdir which we create for them. We currently use rootfs->path and the
lxcpath for the container to check that users give us a sane path to create
those directories under and refuse if they do not. If we want to allow overlay
mounts for containers without a rootfs they can easily be reworked.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Fix NULL-ptr derefs for container without rootfs

Since we allow containers to be created without a rootfs most checks in conf.c
are not sane anymore. Instead of just checking if rootfs->path != NULL we need
to check whether rootfs != NULL.

Minor fixes:
- Have mount_autodev() always return -1 on failure: mount_autodev() returns 0
  on success and -1 on failure. But when the return value of safe_mount() was
  checked in mount_autodev() we returned false (instead of -1) which caused
  mount_autodev() to return 0 (success) instead of the correct -1 (failure).
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

lxc-ls: exit 0 when path is not found

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Remove legacy versions of lxc-ls

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxc-ls nowadays is a C binary so there's no need to keep the python and
shell versions around anymore, remove them from the branch and cleanup
documentation and Makefiles.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}

Some systems need to be able to bind-mount /run to /var/run
and /run/lock to /var/run/lock. (Tested with opensuse 13.1
containers migrated from openvz.)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>