Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Fix 907

Hopefully this will avoid name collisions with any user binaries, since
criu is just an implementation detail.

Closes #907
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Fix console none migration

If we set lxc.console=none, this fd won't exist, so let's not fail if it
doesn't. We already partially handled this case correctly, so let's
actually handle it correctly :)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

We don't pass anything on the restore side since we didn't save anything,
but the restore side will expect something if we pass this. Instead, let's
not pass anything.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Better criu logging

In particular, when CRIU fails before it has its log completely initialized
(e.g. if the log directory doesn't exist, or if the argument parser fails),
it prints this to stdout. Let's log that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

download: Bump to compat level 3

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

autodev: don't always create /dev/console

In particular, only create /dev/console when it is set to "none".
Otherwise, we will bind mount a pts device later, so let's just leave it.

Also, when bind mounting the pts device, let's create /dev/console if it
doesn't exist, since it may not already exist due to the above :)

v2: s/ot/to
v3: add O_EXCL so we actually get EEXIST, use the right condition for
    mount_console (we want to compare against console.path, not
    console.name, and console.path can be null)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

cgfsng: include sys/mount.h

We need to pass nosuid+nexec+nodev to remount to stop the kernel
from denying it.

When remounting the container's path read-write, use the right dest
path.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

for the define of RELATIME for android
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

to hopefully define RELATIME for android
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

2016 03 16/cgroupauto

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

If cgmanager is running, use it.  This allows the admin to simply
stop cgmanager if they don't want to use it.  The other way there
is no way to choose to use cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Also add testcase for each of the cgroup{,-full}:{rw,ro,mixed} cases.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Prevent access to pci devices

Prevent privileged containers from messing with the host's pci devices
directly.  Refuse access under /proc/bus, and drop cap_sys_rawio.  Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).

It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

2016 03 15/nest

we're having it inserted in every config by the lxcapi_create
itself.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

build: fix build on android (and ppc)

The problem here is that dev_t on most platforms is `long unsigned`, but on
android (and ppc?) it's `long long unsigned`. Let's just upcast to `long
long unsigned` and use that format string to keep the compilers happy.

Safety first!
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Dont require dev console none

There are a few things going on in this patch.

1. /dev/console is an external mount since it is bind mounted from the
   host. However, we don't want to use criu's --ext-mount-map auto handling
   here, because that will bind mount exactly the same path from the host
   on restore, but if the pts device is different on the target host, we'll
   bind mount the wrong one, which is obviously wrong.

2. We need to tell CRIU how to restore the TTY. Since we declare the tty as
   --external, we need to provide it via --inherit-fd (even though we've
   already fixed up the environment).
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Various other functions/structures are now only used in criu.c, so let's
hide stuff there so as not to pollute headers.

This commit also bumps the required CRIU versions to 2.0. While we don't
*require* any features that aren't in 1.8 patchlevel 21 or above, 2.0 is a
vast improvement, and so we should use that instead.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfsng: chmod the tasks and procns files

remove the hierarchy if the fullcgpath is NOT null.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 Changelog - stgraber points out s/chgrp/chmod and wrong perms

cgfsng: get_cgroup_path: return the cgroup path not full mounted path