tree-wide: s/__unused/__lxc_unused/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgroup attach

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: don't dereference NULL-pointer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: log chown_cgroup_wrapper()

It's becoming more important on cgroup2 to properly delegate cgroups.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgroup2 unprivileged delegation

We accidently checked files to delegate for privileged container and not for
unprivileged containers in the pure unified case. Fix that and clean up the
delegation file parsing.

Closes #3206.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgfsng_{monitor,payload}_delegate_controllers()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgfsng_monitor_enter()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgfsng_monitor_create()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgfsng_monitor_destroy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: rework cgfsng_payload_destroy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: remove unused compiler attribute

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: replace compiler attributes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: replace compiler attributes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: replace closing helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: add __unused attribute

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

{log, macro}: remove unused logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: replace logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: replace logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework return values of some functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgroup2_devices: replace logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgroup: replace logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: replace logging functions

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: replace logging helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: replace logging helpers

s/error_log_errno(/log_error_errno(-1, /g
s/minus_one_set_errno(/ret_set_errno(-1, /g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: replace logging helpers

s/error_log_errno(/log_error_errno(-1, /g
s/minus_one_set_errno(/ret_set_errno(-1, /g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: s/minus_one_set_errno(/ret_set_errno(-1, /g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

af_unix: s/minus_one_set_errno(/ret_set_errno(-1, /g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add ret_errno()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: rearrange

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3215 from brauner/cgroup2_controller_delegation

cgroup2: rework controller delegation

cgroup2: rework controller delegation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3214 from Rachid-Koucha/patch-1

"busy" field init to -1 instead of 0

Merge pull request #3213 from blenk92/fix-mount-parsing

config: Fix parsing of mount options

"busy" field set to -1 instead of 0

"busy" field is assigned with the command socket descriptor when the terminal is in use. So, use "-1" to disable it.

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

"busy" field set to 1 instead of 0

"busy" field is assigned with the command socket descriptor when the terminal is in use. So, use "-1" to disable it.

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Init "busy" field to -1 as 0 is valid fd

"busy" field is assigned with the command socket descriptor when the terminal is in use. So, use "-1" to disable it.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

config: Fix parsing of mount options

When parsing mount options e.g. from lxc.mount.entry the specified
options are mapped to the flags constants. To do so, the strings
are compared to the options contained in mount_opt. However,
when comparing the strings, the length of the string is not
checked. That entails that the option "rootcontext=selinux-context"
is mapped to the mount option read-only (ro). This commit fixes
this issue by checking if a '=' is contained in the specified option
and additionally comparing the length of the strings.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

Merge pull request #3204 from brauner/switch_to_spdx

lxc: switch to SPDX

Merge pull request #3207 from brauner/cgroup2_improvements_2

cgroups: improve container cgroup attaching

cgroups/devices: correctly verify bpf device useability in cgfsng_devices_activate()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve container cgroup attaching

The current attach.c codepath which handles moving the attaching process into
the container's cgroups allocates a whole new struct cgroup_ops and goes
through the trouble of reparsing the whole cgroup layout.
That's costly and wasteful. My plan has always been to move this into the
command api by getting fds for attaching back but but it's not worth going
through that hazzle for non-unified hosts. On pure unified hosts however -
being the future - we can just attach through a single fd so there's no need to
allocate and setup struct cgroup_ops.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc: switch to SPDX

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: use logging return helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3205 from brauner/cgroup2_improvements

cgroup: add command to retrieve cgroup2 fd and rework cgroup2 attach

cgfsng: rework cgroup2 attach

On pure unified systemd we can use a single file descriptor to interact with
the cgroup filesystem. Add a method to retrieve it and as a start use it in our
unified attach codepath.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/devices: do not log error when bpf device feature is not available

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3203 from brauner/freezer_fixes

freezer: cleanup

Merge pull request #2842 from brauner/2019-02-11/fix_licensing

tree-wide: Fix inconsistent license headers

freezer: cleanup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3178 from xinhua9569/master

conf: fix memory leak for set config rootfs options

Merge pull request #3202 from brauner/cgroup2_freezer_fixes

cgroups/freezer: rework cgroup2 freezer feature usage

cgroups/freezer: fix and improve cgroup2 freezer implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: add DEFAULT_MOUNTPOINT #define

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3196 from brauner/cgroup2_devices_fixes_2

cgroups/devices: use dedicated enums

cgroups/devices: use dedicated enums

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3195 from brauner/cgroup2_devices_fixes

cgroup2: add bpf device controller live update

cgroups/devices: introduce ebpf device cgroup global rule types

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/devices: handle NULL

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

configure: enable -Wunused-but-set-variable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: implement cgroup2 device controller live update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: record cgroup2 devices in parsed format

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: "atomically" replace bpf device programs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: remove unused macros

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

api_extension: add cgroup2_devices api extension

This will only be defined if liblxc was even compiled with bpf supported.
Support itself will be determined at runtime by liblxc itself.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3194 from brauner/cgroup2_devices

cgroups: add cgroup2 device controller support

cgroups: add cgroup2 device controller support

Add a bpf-based device controller implementation.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3193 from lifeng68/master

cgfsng: return attach fail if container stopped

cgfsng: return attach fail if container stopped

Signed-off-by: LiFeng <lifeng68@huawei.com>

conf: fix memory leak for set config rootfs options

Signed-off-by: dongxinhua <dongxinhua@huawei.com>

Merge pull request #3190 from idatahu/fix_ovs_log

fix wrong order of bridge/nic in error message

fix wrong order of bridge/nic in error message

Signed-off-by: Balázs Póka <poka@idata.hu>

Merge pull request #3189 from Rachid-Koucha/patch-2

Typo in a comment

Typo in a comment

"above" was used instead of "below"

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Merge pull request #3187 from brauner/launchpad_bug_1848587

tests: use /dev/null instead of /dev/network_latency

tests: use /dev/loop-control instead of /dev/network_latency

BugLink: https://bugs.launchpad.net/bugs/1848587
The latter device has been removed apparently.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3184 from ffontaine/master

configure.ac: fix build on toolchain without SSP

configure.ac: fix build on toolchain without SSP

Commit 3b5a0eebd4d2efdaa03c6fb11950abfcf081fab8 reverted
3aa7271157d3c815a4426c1f8eaea2f3b6dafa6a resulting in lxc being unable
to be built on toolchain without SSP support

Fixes:
 - http://autobuild.buildroot.org/results/57945f54ffbc5c8764b6891a4516c4907e56ab97

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Merge pull request #3182 from aadi123/master

Update cgroup.h

Update cgroup.h

Fixed the documentation to say that cgroupv2 uses a unified hierarchy
Signed-off-by: Aaditya Murthy <amurthy123@utexas.edu>

Merge pull request #3180 from brauner/2019-11-06/terminal_fixes

terminal: bugfixes

terminal: prevent returning invalid pointer

Closes: https://github.com/lxc/lxd/issues/6408
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: make lxc_terminal_signal_fini() static

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3177 from hallyn/2019-11-01/mapself

lxc-usernsexec: support easily mapping own uid

lxc-usernsexec: support easily mapping own uid

Signed-off-by: Serge Hallyn <shallyn@cisco.com>

Merge pull request #3175 from ralt/pr/execute-attach-exit-code-tests

tests: add tests making sure the exit code is appropriate.

tests: add tests making sure the exit code is appropriate.

lxc2 broke this feature for lxc-execute, and lxc3 broke it for
lxc-attach. This adds a test making sure we don't do the same mistake
a third time.

Signed-off-by: Florian Margaine <florian@platform.sh>

Merge pull request #3174 from Blub/2019-10-29/terminal-init-null-on-error

terminal: return NULL on error in terminal_signal_init

terminal: return NULL on error in terminal_signal_init

Callers expect a NULL on error, and with PR #3171 marking
the pointer as __do_free, we now return a pointer to freed
memory here otherwise.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3171 from brauner/bugfixes

terminal: prevent memory leak for lxc_terminal_state

terminal: prevent memory leak for lxc_terminal_state

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3169 from Blub/2019-10-23/aa_prevent_proc-acpi

apparmor: Prevent writes to /proc/acpi/**

apparmor: Prevent writes to /proc/acpi/**

Same as #3117.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Merge pull request #3168 from havmind/memfd_create_powerpc

syscall_wrappers: rename internal memfd_create to memfd_create_lxc

syscall_wrappers: rename internal memfd_create to memfd_create_lxc

In case the internal memfd_create has to be used, make sure we don't
clash with the already existing memfd_create function from glibc.

This can happen if this glibc function is a stub. In this case, at
./configure time, the test for this function will return false, however
the declaration of that function is still available. This leads to
compilation errors.

Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>

Merge pull request #3161 from tomponline/tp-lxc-destroy

lxc/tools/lxc/destroy: Restores error message on container destroy

lxc/tools/lxc/destroy: Restores error message on container destroy

Partially reverts 65b92ea5fcab559fd21be2685bd2f15ef6d33532 so that trying to destroy a non-existent container gives an error message.

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Merge pull request #3160 from tenforward/japanese

Update lxc.containers.conf(5) in Japanese

Update lxc.containers.conf(5) in Japanese

Update for commit 767bd70

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3159 from Rachid-Koucha/patch-1

Bad sgml/man translation

Bad sgml/man translation

When calling "man lxc.container.conf", an internal "man" keyword is displayed :

$ man lxc.container.conf
[...]
lxc.mount.entry
              Specify a mount point corresponding to a line in the fstab format.  Moreover lxc supports mount  propagation,  such  as
              rslave  or  rprivate, and adds three additional mount options.  optional don't fail if mount does not work.  create=dir
              or create=file to create dir (or file) when the point will be mounted.  relative source path is taken to be relative to
              the mounted container root. For instance,

dev/null proc/kcore none bind,relative 0 0
              .fi     <-----------------------------------UNEXPECTED KEYWORD !!!!

The problem seems to come from the missing blanks before "dev/null proc/kcore none bind,relative 0 0"

Moreover, for homogeneity purposes, it is better to use the "programlisting" tag used in the rest of the text instead of  "screen".

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>