Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

lxccontainer: truncate config file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

pam: Fix missing symbols in module

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Rename ifup/down and remove usless parameter passing

remove leading whitespace from log files

Signed-off-by: Felix <de-ch@hotmail.de>

This has annoyed me for a long time, 3.0 seems like the time to fix it :).

I think the way that the log prefix was intended to be used was perhaps a
dynamic prefix per file, but we don't do that today; we include the
filename later in the log message. Instead, we use it as the tool name,
which for liblxc is always "lxc", but could also be things like
"lxc-cgroup" or whatever. There is absolutely no reason to pad this, since
it is always the same for every log file (in fact, we could probably get
rid of the prefix all together, but that seems slightly more drastic).

Instead, let's just drop this padding. Hopefully this will save thousands
of hours of slight annoyance and right scrolling in various pastebins.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

NVIDIA hook improvements

The "display" driver capability will expose /dev/nvidia-modeset:
https://github.com/NVIDIA/libnvidia-container/commit/9398d41d9f571578d6543703d287b014bcf1bb8c

The "--ldcache" argument allows overriding the location of the DSO cache:
https://github.com/NVIDIA/libnvidia-container/commit/41656bf9ed71448972f3254a10ceb3c53225a4e6

The "--root" argument allows nvidia-container-cli to execute in a different rootfs:
https://github.com/NVIDIA/libnvidia-container/commit/019fdc14e325eea55fbe0397a581bda9d0c4c5b1Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tools: fix container use-after-free

Fields daemonize and error_num were being called after the
lxc_container_put.
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

doc: Remove aufs in Japanese man pages

* and tweak English lxc-copy(1)
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

tree-wide: remove aufs storage driver

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We've announced quite a while back and printed out errors and warning everytime
someone used the aufs driver.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix handler use-after-free

The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.

Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.

Closes #2218
Closes #2219
Reported-by: Felix Abecassis <fabecassis@nvidia.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

conf: do not run the "mount" hooks twice

Regression introduced by 8353b4c9Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

conf: fix clang warning when building w/o libcap

when compiling lxc with clang-5.0 parse_cap()'s main loop will produce a
warning about a tautological comparision (#2215).

By moving the result of computation into a variable (end) this is no
longer a constant expression. clang-5.0 does not do dataflow analysis at
this point, so it is, to quote someone from #llvm, "morally equivalent"
to casting `(int)i`.

in addition, we also clean up the #if HAVE_LIBCAP to no longer need
its #else branch!
Signed-off-by: Igor Galić <igor.galic@automatic-server.com>

tools: fix usage of boolean function set_config_item

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

Revert "cgroups: don't escape if we're not real root"

This reverts commit 8d961e28.

Unfortunately I don't believe the check is correct in the general case.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

cgroups: don't escape if we're not real root

If we're host unpriv but root in our userns, we can't really escape
cgroups. Let's switch the cgroup escape test to reflect this.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

usernsexec: init log fd

lxc-usernsexec uses some functions (e.g. lxc_map_ids()), which are part of
the lxc library and thus use the WARN etc. macros to emit log messages.
However, it doesn't initialize the log in any way, so these messages go
into the ether.

lxc-usernsexec currently has no log parameters, so let's just log these to
stderr. Someone can do something fancier later if they want.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

tools: Include config.h in tool_utils.c

Since we do not include config.h, personality is not set. This is fix
it. See issue #2208.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Add a workaround for a build issue with old versions of libcap