Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfsng: chmod the tasks and procns files

remove the hierarchy if the fullcgpath is NOT null.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 Changelog - stgraber points out s/chgrp/chmod and wrong perms

cgfsng: get_cgroup_path: return the cgroup path not full mounted path

Add a temporary workaround for talking to containers started with the
buggy monitor.  We can remove it sometime after 2.0 release.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Cgfsng fixes

cgroup_escape() is a slight abuse of the cgroup code: what we really want
here is to escape the *current* process, whether it happens to be the LXC
monitor or not, into the / cgroups.

In the case of dump, we can't do an lxc_init(), because:

lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:993 - ##
lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:994 - # The container appears to be already running!
lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:995 - ##

We don't want to make this a command to send to the handler, because again,
cgroup_escape() is intended to escape the *current* task to the root
cgroups.

So, let's just have cgroup_escape() build its own handler when required.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

This is no longer needed outside of criu.c with the ->migrate API call, so
let's mark it that way.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

lxc-attach: update and improve tests

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

2016 03 08/batch

Our mkdir_p ignore eexist, and of course we want that for
upper path components, but the final directory itself must
not already exist.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

read_file was using the wrong value for the string length.  Also,
realloc on i386 is wonky with small sizes - so use a batch size
to avoid small reallocs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tests: set clone_children if need be

Lxc only sets it on /lxc, not on /.

It's conceivable that we should really re-set this to the original
value, to prevent making later tests not fail when they should.  I
didn't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfsng: set cpuset clone_children if needed

Sigh.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfsng: enter/escape error msgs: differentiate and add errno

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Remove trailing newlines in log

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfsng: next generation filesystem-backed cgroup implementation

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Fix apparmor

Execute script lxc-devsetup also with sysvinit and upstart.

Some changes happened but the final profiles weren't generated...
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

This reverts commit 833bf9c2.

This change wasn't actually safe and is now superseded by the cgns profile.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Note this is printing to stdout because it runs before logging is setup.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

We may need to revert this, but I *think* we no longer need this
with default configs.  The idea iirc was that if caller cannot
write to devices.allow (i.e. is in a user namespace), then ignore
permission failures if the cgroups are already sufficiently setup.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Added ALTLinux distribution.

so that container root can create sub-cgroups
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>