improve LXC_CMD_GET_CGROUP compatibility

When a newer lxc library communicates with an older one
(such as running an lxc 4.0 lxc-freeze on a longer running
container which was started while lxc was still at version
3), the LXC_CMD_GET_LIMITING_CGROUP command is not
available, causing the remote to just close the socket.
Catch this and try the previous command instead.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3411 from brauner/master

console: only create detached mount when a console is requested

console: only create detached mount when a console is requested

otherwise weird things might happen.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3410 from brauner/2020-05-13/fixes

reboot fixes

log: cleanup syslog handling

Disable and enable syslog around lxc_check_inherited().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: cleanup file descriptor inheritance

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix container reboot

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use close_prot_errno_disarm() on state_socket_pair

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: remove unused lxc_zero_handler()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: small cleanup to lxc_check_inherited() calls

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3408 from brauner/2020-05-11/fixes

network: fix key ordering independence

confile: fix order independence of network keys

We need to make sure we don't overwrite values when they have already been set.

Closes: #3405.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools/lxc-ls: shut up lgtm more

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3403 from brauner/2020-05-07/fixes

fixes

tools/lxc-ls: shutup lgtm

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

yum: remove unused module

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: this is all rather TODO than FIXME

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3399 from brauner/2020-05-09/compiler_hardening

compiler: more hardening

compiler: support new access attributes

which will allow us to catch more oob accesses.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

gcc: add -Warray-bounds, -Wrestrict, -Wreturn-local-addr, -Wstringop-overflow

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3398 from brauner/2020-05-04/fixes

terminal: remove unneeded if condition

terminal: remove unneeded if condition

Fixes: Coverity 1461742.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3397 from brauner/2020-05-03/fixes

conf: introduce userns_exec_mapped_root()

conf: support console setup on containers without rootfs

This depends on the new mount api.

Closes #3164.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce userns_exec_mapped_root()

to avoid the overhead of calling to lxc-usernsexec whenever we can.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3396 from brauner/2020-05-03/fixes

cgroup: fixes

cgroups: premount cgroups on cgroup2-only systems

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

common.conf: add cgroup2 default device limits

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ignore cgroup2 limits on non-cgroup2 layouts

Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled
in legacy cgroup hierarchies and other controllers in the unified hierarchies
is simply not something we're supporting. Even systemd's hybrid layout (crazy)
doesn't bind controllers to the unified cgroup hierarchy.

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny@gmx.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3392 from tomponline/tp-ipvlan-netlink

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

src/lxc/network: Fixes netlink attribute type 1 has an invalid length message

Fixes #3386

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3391 from stgraber/master

apparmor: Allow boot_id

apparmor: Allow boot_id

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

configure: fix coverity builds

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3385 from brauner/2020-04-15/fixes

cgroups: fix cgroup limit braino

cgroups: fix cgroup limit braino

Fixes: https://discuss.linuxcontainers.org/t/memory-limits-no-longer-being-applied/7429/7
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3384 from brauner/master

travis: coverity gets confused about the %m printf extension in glibc

travis: coverity gets confused about the %m printf extension in glibc

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3383 from brauner/2020-04-15/fixes

log: set GNU_SOURCE as it might help coverity along

log: set GNU_SOURCE as it might help coverity along

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3382 from brauner/2020-04-15/fixes

conf: correctly cleanup memory in get_minimal_idmap()

conf: correctly cleanup memory in get_minimal_idmap()

Fixes: Coverity 1461760.
Fixes: Coverity 1461762.
Fixes: Coverity 1461763.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3381 from brauner/2020-04-15/fixes

fixes

rexec: free argv array on failure

Fixes: Coverity 1461736.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: move check for valid config earlier

Fixes: Coverity 1461735.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: restore non-local value

Fixes: Coverity 1461734.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: log warning on network deconfiguration failures

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: add additional check to lxc_cmd_sock_get_state()

to please Coverity.

Fixes: Coverity 1461732.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

zfs: fix resource leak

Fixes: Coverity 1461730.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: make explicit that we're ignoring rmdir() return value

Fixes: Coverity 1461726.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: don't double free in get_minimal_idmap()

Fixes: Coverity 1461725.
Fixes: Coverity 1461727.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use correct NULL pointer check

Fixes: Coverity 1461722.
Fixes: Coverity 1461737.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

rexec: avoid double-close

Fixes: Coverity 1461721.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix cgroup2 devices

Fixes: Coverity 1461748.
Fixes: Coverity 1461746.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

uuid: close fd

Fixes: Coverity 1461751.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: do not pass NULL pointer

Fixes: Coverity 1461752.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3380 from brauner/2020-04-15/fixes

fixes

conf: fix tty cleanup

Fixes: Coverity 1461755.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

memory_utils: directly NULL ptr in free_disarm()

This should keep coverity happy.

Fixes: Coverity 1461757.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3379 from brauner/upstream/master

travis: add back coverity

travis: add back coverity

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3378 from brauner/2020-04-13/fixes

cgroups: adhere to boolean return

cgroups: adhere to boolean return

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3377 from lifeng68/fix_cgroup_exit

cgroup: fix wrong use of cgfd_con in cgroup_exit

cgroup: fix wrong use of cgfd_con in cgroup_exit

Signed-off-by: LiFeng <lifeng68@huawei.com>

Merge pull request #3376 from toddnni/lxc-oci-fix

Fix lxc-oci template with loop backingstore

Fix lxc-oci template with loop backingstore

Move the content of rootfs inside OCI package to rootfs instead of
replacing it, as the directory is used as the mountpoint.

Tested with directory and loop backingstore.

Signed-off-by: Toni Ylenius <toni.ylenius@iki.fi>

Merge pull request #3375 from brauner/2020-04-12/fixes

cgroups: ignore legacy limits on pure cgroup2 systems

Merge pull request #3374 from stgraber/master

tests/no-new-privs: Don't mess with /etc/lxc

cgroups: ignore legacy limits on pure cgroup2 systems

Link: https://github.com/lxc/lxc/issues/3183#issuecomment-612462322
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests/no-new-privs: Don't mess with /etc/lxc

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3370 from stgraber/master

lxc-update-config: Fix bad handling of lxc.logfile

lxc-update-config: Fix bad handling of lxc.logfile

Closes #3369

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3368 from brauner/2020-04-09/fixes

fixes

conf: move_ptr() in all cases in mapped_hostid_add()

Closes #3366.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3367 from tomponline/tp-nic-ipvlan

src/lxc/network: ipvlan comment and code style tweak

conf: use macros all around in lxc_map_ids()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: tweak get_minimal_idmap()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

src/lxc/network: ipvlan comment and code style tweak

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3365 from albatross0/ipvlan_l2

network: Make it possible to set the mode of IPVLAN to L2

network: Make it possible to set the mode of IPVLAN to L2

Signed-off-by: KUWAZAWA Takuya <albatross0@gmail.com>

Merge pull request #3362 from brauner/2020-04-07/fixes

lxc_user_nic: fixes

seccomp: newer kernels require the buffer to be zeroed

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: whitespace fixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_user_nic: continue when we failed to find a group

Closes #3361.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_user_nic: simplify group retrieval

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3360 from brauner/2020-04-07/fixes

start: ensure all file descriptors are closed during exec

syscall_numbers: handle riscv

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: ensure all file descriptors are closed during exec

Closes https://github.com/checkpoint-restore/criu/issues/1011.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3359 from Blub/legacy-devices-isolation-change

cgroup isolation: handle devices cgroup early

cgroup isolation: handle devices cgroup early

Otherwise we cannot use an 'a' entry in devices.deny/allow
as these are not permitted once a subdirectory was created.

Without isolation we initialize the devices cgroup
particularly late, so there are probably cases which cannot
work with isolation.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3357 from Blub/cgroup-isolation-fixes

Cgroup isolation fixes

get the right path in get_cgroup command

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

confile: fix jump table order

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3356 from tenforward/japanese

doc: Add lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man

doc: Add lxc.cgroup.dir.{monitor,container,container.inner} to Japanese man

Update for commit a900cba

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3355 from brauner/2020-04-04/fixes

api-extensions: add and document cgroup_advanced_isolation

api-extensions: add and document cgroup_advanced_isolation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3353 from Blub/lxc.cgroup.dir-components

 introduce lxc.cgroup.dir.{monitor,container,container.inner}

confile: coding style fixes for set_config_cgroup_container_inner_dir()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>