Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Assuming a particular width of a type (or equivalence with "long") doesn't
work everywhere.  On new architectures, LFS/etc is enabled by default,
making rlim_t same as rlim64_t even if long is only 32-bit.

Not sure how you handle too big values -- you may want to re-check the
strtoull part.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>

Both of struct timespec fields are 64-bit on any new architecture, even
32-bit ones.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>

This template would always add "en-US.UTF-8" to the end of the container's locale.gen, which in turn confused locale-gen.
Signed-off-by: Fridtjof Mund <fridtjofmund@gmail.com>

Seems a bit invasive for a bugfix release.

This reverts commit f9d14b54.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

The kernel only allows 4k writes to most files in /proc including {g,u}id_map
so let's not try to write partial mappings. (This will obviously become a lot
more relevant when my patch to extend the idmap limit in the kernel is merged.)
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

liblxc should inform users that they are using a devel version. This will have
liblxc print

    MAJOR.MINOR.PATCH-devel

if LXC_DEVEL is true and

    MAJOR.MINOR.PATCH

otherwise.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Before exec()ing we need to become session leader otherwise some shells will
not be able to correctly initialize job control.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

With the release LXC 2.1 we started warning users who use LXC through the API
and users who use LXC through the tools equally about updating their config.
This quickly got confusing and annoying to API users who e.g. generate configs
on the fly (e.g. LXD). So instead of unconditionally warning users we make this
opt-in. If LXC detects that the env variable LXC_UPDATE_CONFIG_FORMAT is set
then it will warn the user if any legacy configuration keys are present. If it
is not set however, it will not warn the user. This is ok, since the log will
still log WARN()s for all legacy configuration keys.
The tools will all set LXC_UPDATE_CONFIG_FORMAT since it is very much required
that users update to the new configuration format pre-LXC 3.0.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

```
    # this only works if we have getty@.service to manipulate
    if [ -f "${rootfs}/lib/systemd/system/getty@.service" ]; then
       sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
           -e 's/After=dev-%i.device/After=/' \
           < "${rootfs}/lib/systemd/system/getty@.service" \
           > "${rootfs}/etc/systemd/system/getty@.service"
    fi
```
we have only /dev/tty in a container - so this little cutie will spam the log all 10s with the following:

```
Jul 28 22:33:00 mariadb systemd[1]: getty@tty4.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty3.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty1.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty2.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:00 mariadb systemd[1]: Stopped Getty on tty2.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty2.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty2.service, ignoring: Operation not permitted
Jul 28 22:33:00 mariadb systemd[1]: Started Getty on tty2.
Jul 28 22:33:00 mariadb systemd[1]: Stopped Getty on tty1.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty1.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty1.service, ignoring: Operation not permitted
Jul 28 22:33:00 mariadb systemd[1]: Started Getty on tty1.
Jul 28 22:33:00 mariadb systemd[1]: Stopped Getty on tty3.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty3.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty3.service, ignoring: Operation not permitted
Jul 28 22:33:00 mariadb systemd[1]: Started Getty on tty3.
Jul 28 22:33:00 mariadb systemd[1]: Stopped Getty on tty4.
Jul 28 22:33:00 mariadb systemd[1]: getty@tty4.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty4.service, ignoring: Operation not permitted
Jul 28 22:33:00 mariadb systemd[1]: Started Getty on tty4.
Jul 28 22:33:00 mariadb agetty[242]: /dev/tty1: cannot open as standard input: No such file or directory
Jul 28 22:33:00 mariadb agetty[241]: /dev/tty2: cannot open as standard input: No such file or directory
Jul 28 22:33:00 mariadb agetty[244]: /dev/tty4: cannot open as standard input: No such file or directory
Jul 28 22:33:00 mariadb agetty[243]: /dev/tty3: cannot open as standard input: No such file or directory
Jul 28 22:33:10 mariadb systemd[1]: getty@tty4.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty2.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty1.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty3.service: Service has no hold-off time, scheduling restart.
Jul 28 22:33:10 mariadb systemd[1]: Stopped Getty on tty3.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty3.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty3.service, ignoring: Operation not permitted
Jul 28 22:33:10 mariadb systemd[1]: Started Getty on tty3.
Jul 28 22:33:10 mariadb systemd[1]: Stopped Getty on tty1.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty1.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty1.service, ignoring: Operation not permitted
Jul 28 22:33:10 mariadb systemd[1]: Started Getty on tty1.
Jul 28 22:33:10 mariadb systemd[1]: Stopped Getty on tty2.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty2.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty2.service, ignoring: Operation not permitted
Jul 28 22:33:10 mariadb systemd[1]: Started Getty on tty2.
Jul 28 22:33:10 mariadb systemd[1]: Stopped Getty on tty4.
Jul 28 22:33:10 mariadb systemd[1]: getty@tty4.service: Failed to set invocation ID on control group /system.slice/system-getty.slice/getty@tty4.service, ignoring: Operation not permitted
Jul 28 22:33:10 mariadb systemd[1]: Started Getty on tty4.
Jul 28 22:33:10 mariadb agetty[245]: /dev/tty3: cannot open as standard input: No such file or directory
Jul 28 22:33:10 mariadb agetty[247]: /dev/tty2: cannot open as standard input: No such file or directory
Jul 28 22:33:10 mariadb agetty[246]: /dev/tty1: cannot open as standard input: No such file or directory
Jul 28 22:33:10 mariadb agetty[248]: /dev/tty4: cannot open as standard input: No such file or directory
```
if more reasons are whished i could attach the logs from 10 containers after one month runtime. (approx 30G)
Signed-off-by: Alf Gaida <agaida@siduction.org>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mem and kmem are really in /dev, so this does us no good.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

We need to clear any ifindeces we recorded so liblxc won't have cached stale
data which would cause it to fail on reboot we're we don't re-read the on-disk
config file.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Otherwise we can never share namespaces.
Signed-off-by: LiFeng <lifeng68@huawei.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

We can't rely in general on the presence of an initialized conf on cgroup init
time. One good example are our criu codepaths.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Closes #1827.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Update for commit e3dd06efSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

So far, we silently skipped over limits that failed to be applied which is very
odd. Let's error on when cgroup limits fail to apply.

Closes #1815.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Closes #1818.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Because the `fetch` wget wrapper outputs files to stdout we may end up in a
situation where wget fails but the files are still created. This can happen
e.g. when the host date is out of sync leading to a failed certificate
check, resulting in the creation of empty key files.

Once the empty files have been created the template will try to use them which
causes the certificate check to fail.

By using `-s` instead of `-f` the template will re-fetch the files unless they
exist AND have a size greater than zero.
Signed-off-by: Rune Juhl Jacobsen <runejuhl@petardo.dk>

- rework and fix pipe fd leak
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The hooks (e.g. lxc.hook.mount) should have the environment variables the user
gave us available.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

To match names beginning with the letters "f" or "b" one can use
the regular expression "[fb].*" or "(f|b).*", but not "[f|b].*",
which would match strings beginning with "f", "|", or "b".
Signed-off-by: Christian von Roques <roques@z12.ch>

Since some remounts/umounts is executed in the plamo shutdown script,
the filesystem on where a container exists might be mount as
read-only. This patch delete some mounts and umounts from the shutdown
script. It also delete hwclock setting process.

And delete an unncecessary output.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

When the "lxc.rootfs.path" property is not set and users request a container
copy we would segfault since strstr() would be called on a NULL pointer.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This is technically not necessary but it is a privilege sensitive operation.
Meaning if anyone wants to do something that requires privilege it should be
done before the id switch. So let's move the id switch immediately before the
exec so that it's called at the last possible moment.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>